mbedtls | Mbed

Arcola » Code » mbedtls

ChangeLog@1:9ebc941037d5, 2017-09-29 (annotated)

Committer:: Jasper Wallace
Date:: Fri Sep 29 18:41:59 2017 +0100
Revision:: 1:9ebc941037d5
Parent:: 0:cdf462088d13
Child:: 2:bbdeda018a3c

Update to mbedtls 2.4.2, security fixes



Changes to mbedtls sources made:



in include/mbedtls/config.h comment out:



#define MBEDTLS_FS_IO

#define MBEDTLS_NET_C

#define MBEDTLS_TIMING_C



uncomment:



#define MBEDTLS_NO_PLATFORM_ENTROPY

Who changed what in which revision?

User	Revision	Line number	New contents of line
markrad	0:cdf462088d13	1	mbed TLS ChangeLog (Sorted per branch, date)
markrad	0:cdf462088d13	2
Jasper Wallace	1:9ebc941037d5	3	= mbed TLS 2.4.2 branch released 2017-03-08
Jasper Wallace	1:9ebc941037d5	4
Jasper Wallace	1:9ebc941037d5	5	Security
Jasper Wallace	1:9ebc941037d5	6	* Add checks to prevent signature forgeries for very large messages while
Jasper Wallace	1:9ebc941037d5	7	using RSA through the PK module in 64-bit systems. The issue was caused by
Jasper Wallace	1:9ebc941037d5	8	some data loss when casting a size_t to an unsigned int value in the
Jasper Wallace	1:9ebc941037d5	9	functions rsa_verify_wrap(), rsa_sign_wrap(), rsa_alt_sign_wrap() and
Jasper Wallace	1:9ebc941037d5	10	mbedtls_pk_sign(). Found by Jean-Philippe Aumasson.
Jasper Wallace	1:9ebc941037d5	11	* Fixed potential livelock during the parsing of a CRL in PEM format in
Jasper Wallace	1:9ebc941037d5	12	mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing
Jasper Wallace	1:9ebc941037d5	13	characters after the footer could result in the execution of an infinite
Jasper Wallace	1:9ebc941037d5	14	loop. The issue can be triggered remotely. Found by Greg Zaverucha,
Jasper Wallace	1:9ebc941037d5	15	Microsoft.
Jasper Wallace	1:9ebc941037d5	16	* Removed MD5 from the allowed hash algorithms for CertificateRequest and
Jasper Wallace	1:9ebc941037d5	17	CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2.
Jasper Wallace	1:9ebc941037d5	18	Introduced by interoperability fix for #513.
Jasper Wallace	1:9ebc941037d5	19	* Fixed a bug that caused freeing a buffer that was allocated on the stack,
Jasper Wallace	1:9ebc941037d5	20	when verifying the validity of a key on secp224k1. This could be
Jasper Wallace	1:9ebc941037d5	21	triggered remotely for example with a maliciously constructed certificate
Jasper Wallace	1:9ebc941037d5	22	and potentially could lead to remote code execution on some platforms.
Jasper Wallace	1:9ebc941037d5	23	Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos
Jasper Wallace	1:9ebc941037d5	24	team. #569 CVE-2017-2784
Jasper Wallace	1:9ebc941037d5	25
Jasper Wallace	1:9ebc941037d5	26	Bugfix
Jasper Wallace	1:9ebc941037d5	27	* Fix output certificate verification flags set by x509_crt_verify_top() when
Jasper Wallace	1:9ebc941037d5	28	traversing a chain of trusted CA. The issue would cause both flags,
Jasper Wallace	1:9ebc941037d5	29	MBEDTLS_X509_BADCERT_NOT_TRUSTED and MBEDTLS_X509_BADCERT_EXPIRED, to be
Jasper Wallace	1:9ebc941037d5	30	set when the verification conditions are not met regardless of the cause.
Jasper Wallace	1:9ebc941037d5	31	Found by Harm Verhagen and inestlerode. #665 #561
Jasper Wallace	1:9ebc941037d5	32	* Fix the redefinition of macro ssl_set_bio to an undefined symbol
Jasper Wallace	1:9ebc941037d5	33	mbedtls_ssl_set_bio_timeout in compat-1.3.h, by removing it.
Jasper Wallace	1:9ebc941037d5	34	Found by omlib-lin. #673
Jasper Wallace	1:9ebc941037d5	35	* Fix unused variable/function compilation warnings in pem.c, x509_crt.c and
Jasper Wallace	1:9ebc941037d5	36	x509_csr.c that are reported when building mbed TLS with a config.h that
Jasper Wallace	1:9ebc941037d5	37	does not define MBEDTLS_PEM_PARSE_C. Found by omnium21. #562
Jasper Wallace	1:9ebc941037d5	38	* Fix incorrect renegotiation condition in ssl_check_ctr_renegotiate() that
Jasper Wallace	1:9ebc941037d5	39	would compare 64 bits of the record counter instead of 48 bits as indicated
Jasper Wallace	1:9ebc941037d5	40	in RFC 6347 Section 4.3.1. This could cause the execution of the
Jasper Wallace	1:9ebc941037d5	41	renegotiation routines at unexpected times when the protocol is DTLS. Found
Jasper Wallace	1:9ebc941037d5	42	by wariua. #687
Jasper Wallace	1:9ebc941037d5	43	* Fixed multiple buffer overreads in mbedtls_pem_read_buffer() when parsing
Jasper Wallace	1:9ebc941037d5	44	the input string in PEM format to extract the different components. Found
Jasper Wallace	1:9ebc941037d5	45	by Eyal Itkin.
Jasper Wallace	1:9ebc941037d5	46	* Fixed potential arithmetic overflow in mbedtls_ctr_drbg_reseed() that could
Jasper Wallace	1:9ebc941037d5	47	cause buffer bound checks to be bypassed. Found by Eyal Itkin.
Jasper Wallace	1:9ebc941037d5	48	* Fixed potential arithmetic overflows in mbedtls_cipher_update() that could
Jasper Wallace	1:9ebc941037d5	49	cause buffer bound checks to be bypassed. Found by Eyal Itkin.
Jasper Wallace	1:9ebc941037d5	50	* Fixed potential arithmetic overflow in mbedtls_md2_update() that could
Jasper Wallace	1:9ebc941037d5	51	cause buffer bound checks to be bypassed. Found by Eyal Itkin.
Jasper Wallace	1:9ebc941037d5	52	* Fixed potential arithmetic overflow in mbedtls_base64_decode() that could
Jasper Wallace	1:9ebc941037d5	53	cause buffer bound checks to be bypassed. Found by Eyal Itkin.
Jasper Wallace	1:9ebc941037d5	54	* Fixed heap overreads in mbedtls_x509_get_time(). Found by Peng
Jasper Wallace	1:9ebc941037d5	55	Li/Yueh-Hsun Lin, KNOX Security, Samsung Research America.
Jasper Wallace	1:9ebc941037d5	56	* Fix potential memory leak in mbedtls_x509_crl_parse(). The leak was caused
Jasper Wallace	1:9ebc941037d5	57	by missing calls to mbedtls_pem_free() in cases when a
Jasper Wallace	1:9ebc941037d5	58	MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT error was encountered. Found and
Jasper Wallace	1:9ebc941037d5	59	fix proposed by Guido Vranken. #722
Jasper Wallace	1:9ebc941037d5	60	* Fixed the templates used to generate project and solution files for Visual
Jasper Wallace	1:9ebc941037d5	61	Studio 2015 as well as the files themselves, to remove a build warning
Jasper Wallace	1:9ebc941037d5	62	generated in Visual Studio 2015. Reported by Steve Valliere. #742
Jasper Wallace	1:9ebc941037d5	63	* Fix a resource leak in ssl_cookie, when using MBEDTLS_THREADING_C.
Jasper Wallace	1:9ebc941037d5	64	Raised and fix suggested by Alan Gillingham in the mbed TLS forum. #771
Jasper Wallace	1:9ebc941037d5	65	* Fix 1 byte buffer overflow in mbedtls_mpi_write_string() when the MPI
Jasper Wallace	1:9ebc941037d5	66	number to write in hexadecimal is negative and requires an odd number of
Jasper Wallace	1:9ebc941037d5	67	digits. Found and fixed by Guido Vranken.
Jasper Wallace	1:9ebc941037d5	68	* Fix unlisted DES configuration dependency in some pkparse test cases. Found
Jasper Wallace	1:9ebc941037d5	69	by inestlerode. #555
Jasper Wallace	1:9ebc941037d5	70
markrad	0:cdf462088d13	71	= mbed TLS 2.4.1 branch released 2016-12-13
markrad	0:cdf462088d13	72
markrad	0:cdf462088d13	73	Changes
markrad	0:cdf462088d13	74	* Update to CMAC test data, taken from - NIST Special Publication 800-38B -
markrad	0:cdf462088d13	75	Recommendation for Block Cipher Modes of Operation: The CMAC Mode for
markrad	0:cdf462088d13	76	Authentication – October 2016
markrad	0:cdf462088d13	77
markrad	0:cdf462088d13	78	= mbed TLS 2.4.0 branch released 2016-10-17
markrad	0:cdf462088d13	79
markrad	0:cdf462088d13	80	Security
markrad	0:cdf462088d13	81	* Removed the MBEDTLS_SSL_AEAD_RANDOM_IV option, because it was not compliant
markrad	0:cdf462088d13	82	with RFC-5116 and could lead to session key recovery in very long TLS
markrad	0:cdf462088d13	83	sessions. "Nonce-Disrespecting Adversaries Practical Forgery Attacks on GCM in
markrad	0:cdf462088d13	84	TLS" - H. Bock, A. Zauner, S. Devlin, J. Somorovsky, P. Jovanovic.
markrad	0:cdf462088d13	85	https://eprint.iacr.org/2016/475.pdf
markrad	0:cdf462088d13	86	* Fixed potential stack corruption in mbedtls_x509write_crt_der() and
markrad	0:cdf462088d13	87	mbedtls_x509write_csr_der() when the signature is copied to the buffer
markrad	0:cdf462088d13	88	without checking whether there is enough space in the destination. The
markrad	0:cdf462088d13	89	issue cannot be triggered remotely. Found by Jethro Beekman.
markrad	0:cdf462088d13	90
markrad	0:cdf462088d13	91	Features
markrad	0:cdf462088d13	92	* Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by
markrad	0:cdf462088d13	93	NIST SP 800-38B, RFC-4493 and RFC-4615.
markrad	0:cdf462088d13	94	* Added hardware entropy selftest to verify that the hardware entropy source
markrad	0:cdf462088d13	95	is functioning correctly.
markrad	0:cdf462088d13	96	* Added a script to print build environment info for diagnostic use in test
markrad	0:cdf462088d13	97	scripts, which is also now called by all.sh.
markrad	0:cdf462088d13	98	* Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to
markrad	0:cdf462088d13	99	configure the maximum length of a file path that can be buffered when
markrad	0:cdf462088d13	100	calling mbedtls_x509_crt_parse_path().
markrad	0:cdf462088d13	101	* Added a configuration file config-no-entropy.h that configures the subset of
markrad	0:cdf462088d13	102	library features that do not require an entropy source.
markrad	0:cdf462088d13	103	* Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users
markrad	0:cdf462088d13	104	to configure the minimum number of bytes for entropy sources using the
markrad	0:cdf462088d13	105	mbedtls_hardware_poll() function.
markrad	0:cdf462088d13	106
markrad	0:cdf462088d13	107	Bugfix
markrad	0:cdf462088d13	108	* Fix for platform time abstraction to avoid dependency issues where a build
markrad	0:cdf462088d13	109	may need time but not the standard C library abstraction, and added
markrad	0:cdf462088d13	110	configuration consistency checks to check_config.h
markrad	0:cdf462088d13	111	* Fix dependency issue in Makefile to allow parallel builds.
markrad	0:cdf462088d13	112	* Fix incorrect handling of block lengths in crypt_and_hash.c sample program,
markrad	0:cdf462088d13	113	when GCM is used. Found by udf2457. #441
markrad	0:cdf462088d13	114	* Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
markrad	0:cdf462088d13	115	enabled unless others were also present. Found by David Fernandez. #428
markrad	0:cdf462088d13	116	* Fix for out-of-tree builds using CMake. Found by jwurzer, and fix based on
markrad	0:cdf462088d13	117	a contribution from Tobias Tangemann. #541
markrad	0:cdf462088d13	118	* Fixed cert_app.c sample program for debug output and for use when no root
markrad	0:cdf462088d13	119	certificates are provided.
markrad	0:cdf462088d13	120	* Fix conditional statement that would cause a 1 byte overread in
markrad	0:cdf462088d13	121	mbedtls_asn1_get_int(). Found and fixed by Guido Vranken. #599
markrad	0:cdf462088d13	122	* Fixed pthread implementation to avoid unintended double initialisations
markrad	0:cdf462088d13	123	and double frees. Found by Niklas Amnebratt.
markrad	0:cdf462088d13	124	* Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
markrad	0:cdf462088d13	125	builds where the configuration MBEDTLS_PEM_WRITE_C is not defined. Found
markrad	0:cdf462088d13	126	by inestlerode. #559.
markrad	0:cdf462088d13	127	* Fix mbedtls_x509_get_sig() to update the ASN1 type in the mbedtls_x509_buf
markrad	0:cdf462088d13	128	data structure until after error checks are successful. Found by
markrad	0:cdf462088d13	129	subramanyam-c. #622
markrad	0:cdf462088d13	130	* Fix documentation and implementation missmatch for function arguments of
markrad	0:cdf462088d13	131	mbedtls_gcm_finish(). Found by cmiatpaar. #602
markrad	0:cdf462088d13	132	* Guarantee that P>Q at RSA key generation. Found by inestlerode. #558
markrad	0:cdf462088d13	133	* Fix potential byte overread when verifying malformed SERVER_HELLO in
markrad	0:cdf462088d13	134	ssl_parse_hello_verify_request() for DTLS. Found by Guido Vranken.
markrad	0:cdf462088d13	135	* Fix check for validity of date when parsing in mbedtls_x509_get_time().
markrad	0:cdf462088d13	136	Found by subramanyam-c. #626
markrad	0:cdf462088d13	137	* Fix compatibility issue with Internet Explorer client authentication,
markrad	0:cdf462088d13	138	where the limited hash choices prevented the client from sending its
markrad	0:cdf462088d13	139	certificate. Found by teumas. #513
markrad	0:cdf462088d13	140	* Fix compilation without MBEDTLS_SELF_TEST enabled.
markrad	0:cdf462088d13	141
markrad	0:cdf462088d13	142	Changes
markrad	0:cdf462088d13	143	* Extended test coverage of special cases, and added new timing test suite.
markrad	0:cdf462088d13	144	* Removed self-tests from the basic-built-test.sh script, and added all
markrad	0:cdf462088d13	145	missing self-tests to the test suites, to ensure self-tests are only
markrad	0:cdf462088d13	146	executed once.
markrad	0:cdf462088d13	147	* Added support for 3 and 4 byte lengths to mbedtls_asn1_write_len().
markrad	0:cdf462088d13	148	* Added support for a Yotta specific configuration file -
markrad	0:cdf462088d13	149	through the symbol YOTTA_CFG_MBEDTLS_TARGET_CONFIG_FILE.
markrad	0:cdf462088d13	150	* Added optimization for code space for X.509/OID based on configured
markrad	0:cdf462088d13	151	features. Contributed by Aviv Palivoda.
markrad	0:cdf462088d13	152	* Renamed source file library/net.c to library/net_sockets.c to avoid
markrad	0:cdf462088d13	153	naming collision in projects which also have files with the common name
markrad	0:cdf462088d13	154	net.c. For consistency, the corresponding header file, net.h, is marked as
markrad	0:cdf462088d13	155	deprecated, and its contents moved to net_sockets.h.
markrad	0:cdf462088d13	156	* Changed the strategy for X.509 certificate parsing and validation, to no
markrad	0:cdf462088d13	157	longer disregard certificates with unrecognised fields.
markrad	0:cdf462088d13	158
markrad	0:cdf462088d13	159	= mbed TLS 2.3.0 branch released 2016-06-28
markrad	0:cdf462088d13	160
markrad	0:cdf462088d13	161	Security
markrad	0:cdf462088d13	162	* Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt
markrad	0:cdf462088d13	163	required by PKCS1 v2.2
markrad	0:cdf462088d13	164	* Fix potential integer overflow to buffer overflow in
markrad	0:cdf462088d13	165	mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt
markrad	0:cdf462088d13	166	(not triggerable remotely in (D)TLS).
markrad	0:cdf462088d13	167	* Fix a potential integer underflow to buffer overread in
markrad	0:cdf462088d13	168	mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in
markrad	0:cdf462088d13	169	SSL/TLS.
markrad	0:cdf462088d13	170
markrad	0:cdf462088d13	171	Features
markrad	0:cdf462088d13	172	* Support for platform abstraction of the standard C library time()
markrad	0:cdf462088d13	173	function.
markrad	0:cdf462088d13	174
markrad	0:cdf462088d13	175	Bugfix
markrad	0:cdf462088d13	176	* Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three
markrad	0:cdf462088d13	177	arguments where the same (in-place doubling). Found and fixed by Janos
markrad	0:cdf462088d13	178	Follath. #309
markrad	0:cdf462088d13	179	* Fix potential build failures related to the 'apidoc' target, introduced
markrad	0:cdf462088d13	180	in the previous patch release. Found by Robert Scheck. #390 #391
markrad	0:cdf462088d13	181	* Fix issue in Makefile that prevented building using armar. #386
markrad	0:cdf462088d13	182	* Fix memory leak that occured only when ECJPAKE was enabled and ECDHE and
markrad	0:cdf462088d13	183	ECDSA was disabled in config.h . The leak didn't occur by default.
markrad	0:cdf462088d13	184	* Fix an issue that caused valid certificates to be rejected whenever an
markrad	0:cdf462088d13	185	expired or not yet valid certificate was parsed before a valid certificate
markrad	0:cdf462088d13	186	in the trusted certificate list.
markrad	0:cdf462088d13	187	* Fix bug in mbedtls_x509_crt_parse that caused trailing extra data in the
markrad	0:cdf462088d13	188	buffer after DER certificates to be included in the raw representation.
markrad	0:cdf462088d13	189	* Fix issue that caused a hang when generating RSA keys of odd bitlength
markrad	0:cdf462088d13	190	* Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer
markrad	0:cdf462088d13	191	dereference possible.
markrad	0:cdf462088d13	192	* Fix issue that caused a crash if invalid curves were passed to
markrad	0:cdf462088d13	193	mbedtls_ssl_conf_curves. #373
markrad	0:cdf462088d13	194	* Fix issue in ssl_fork_server which was preventing it from functioning. #429
markrad	0:cdf462088d13	195	* Fix memory leaks in test framework
markrad	0:cdf462088d13	196	* Fix test in ssl-opt.sh that does not run properly with valgrind
markrad	0:cdf462088d13	197	* Fix unchecked calls to mmbedtls_md_setup(). Fix by Brian Murray. #502
markrad	0:cdf462088d13	198
markrad	0:cdf462088d13	199	Changes
markrad	0:cdf462088d13	200	* On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
markrad	0:cdf462088d13	201	don't use the optimized assembly for bignum multiplication. This removes
markrad	0:cdf462088d13	202	the need to pass -fomit-frame-pointer to avoid a build error with -O0.
markrad	0:cdf462088d13	203	* Disabled SSLv3 in the default configuration.
markrad	0:cdf462088d13	204	* Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey
markrad	0:cdf462088d13	205	Skalozub).
markrad	0:cdf462088d13	206	* Fix non-compliance server extension handling. Extensions for SSLv3 are now
markrad	0:cdf462088d13	207	ignored, as required by RFC6101.
markrad	0:cdf462088d13	208
markrad	0:cdf462088d13	209	= mbed TLS 2.2.1 released 2016-01-05
markrad	0:cdf462088d13	210
markrad	0:cdf462088d13	211	Security
markrad	0:cdf462088d13	212	* Fix potential double free when mbedtls_asn1_store_named_data() fails to
markrad	0:cdf462088d13	213	allocate memory. Only used for certificate generation, not triggerable
markrad	0:cdf462088d13	214	remotely in SSL/TLS. Found by Rafał Przywara. #367
markrad	0:cdf462088d13	215	* Disable MD5 handshake signatures in TLS 1.2 by default to prevent the
markrad	0:cdf462088d13	216	SLOTH attack on TLS 1.2 server authentication (other attacks from the
markrad	0:cdf462088d13	217	SLOTH paper do not apply to any version of mbed TLS or PolarSSL).
markrad	0:cdf462088d13	218	https://www.mitls.org/pages/attacks/SLOTH
markrad	0:cdf462088d13	219
markrad	0:cdf462088d13	220	Bugfix
markrad	0:cdf462088d13	221	* Fix over-restrictive length limit in GCM. Found by Andreas-N. #362
markrad	0:cdf462088d13	222	* Fix bug in certificate validation that caused valid chains to be rejected
markrad	0:cdf462088d13	223	when the first intermediate certificate has pathLenConstraint=0. Found by
markrad	0:cdf462088d13	224	Nicholas Wilson. Introduced in mbed TLS 2.2.0. #280
markrad	0:cdf462088d13	225	* Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign(), found by
markrad	0:cdf462088d13	226	JayaraghavendranK. #372
markrad	0:cdf462088d13	227	* Fix suboptimal handling of unexpected records that caused interop issues
markrad	0:cdf462088d13	228	with some peers over unreliable links. Avoid dropping an entire DTLS
markrad	0:cdf462088d13	229	datagram if a single record in a datagram is unexpected, instead only
markrad	0:cdf462088d13	230	drop the record and look at subsequent records (if any are present) in
markrad	0:cdf462088d13	231	the same datagram. Found by jeannotlapin. #345
markrad	0:cdf462088d13	232
markrad	0:cdf462088d13	233	= mbed TLS 2.2.0 released 2015-11-04
markrad	0:cdf462088d13	234
markrad	0:cdf462088d13	235	Security
markrad	0:cdf462088d13	236	* Fix potential double free if mbedtls_ssl_conf_psk() is called more than
markrad	0:cdf462088d13	237	once and some allocation fails. Cannot be forced remotely. Found by Guido
markrad	0:cdf462088d13	238	Vranken, Intelworks.
markrad	0:cdf462088d13	239	* Fix potential heap corruption on Windows when
markrad	0:cdf462088d13	240	mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
markrad	0:cdf462088d13	241	triggered remotely. Found by Guido Vranken, Intelworks.
markrad	0:cdf462088d13	242	* Fix potential buffer overflow in some asn1_write_xxx() functions.
markrad	0:cdf462088d13	243	Cannot be triggered remotely unless you create X.509 certificates based
markrad	0:cdf462088d13	244	on untrusted input or write keys of untrusted origin. Found by Guido
markrad	0:cdf462088d13	245	Vranken, Intelworks.
markrad	0:cdf462088d13	246	* The X509 max_pathlen constraint was not enforced on intermediate
markrad	0:cdf462088d13	247	certificates. Found by Nicholas Wilson, fix and tests provided by
markrad	0:cdf462088d13	248	Janos Follath. #280 and #319
markrad	0:cdf462088d13	249
markrad	0:cdf462088d13	250	Features
markrad	0:cdf462088d13	251	* Experimental support for EC J-PAKE as defined in Thread 1.0.0.
markrad	0:cdf462088d13	252	Disabled by default as the specification might still change.
markrad	0:cdf462088d13	253	* Added a key extraction callback to accees the master secret and key
markrad	0:cdf462088d13	254	block. (Potential uses include EAP-TLS and Thread.)
markrad	0:cdf462088d13	255
markrad	0:cdf462088d13	256	Bugfix
markrad	0:cdf462088d13	257	* Self-signed certificates were not excluded from pathlen counting,
markrad	0:cdf462088d13	258	resulting in some valid X.509 being incorrectly rejected. Found and fix
markrad	0:cdf462088d13	259	provided by Janos Follath. #319
markrad	0:cdf462088d13	260	* Fix build error with configurations where ECDHE-PSK is the only key
markrad	0:cdf462088d13	261	exchange. Found and fix provided by Chris Hammond. #270
markrad	0:cdf462088d13	262	* Fix build error with configurations where RSA, RSA-PSK, ECDH-RSA or
markrad	0:cdf462088d13	263	ECHD-ECDSA if the only key exchange. Multiple reports. #310
markrad	0:cdf462088d13	264	* Fixed a bug causing some handshakes to fail due to some non-fatal alerts
markrad	0:cdf462088d13	265	not being properly ignored. Found by mancha and Kasom Koht-arsa, #308
markrad	0:cdf462088d13	266	* mbedtls_x509_crt_verify(_with_profile)() now also checks the key type and
markrad	0:cdf462088d13	267	size/curve against the profile. Before that, there was no way to set a
markrad	0:cdf462088d13	268	minimum key size for end-entity certificates with RSA keys. Found by
markrad	0:cdf462088d13	269	Matthew Page of Scannex Electronics Ltd.
markrad	0:cdf462088d13	270	* Fix failures in MPI on Sparc(64) due to use of bad assembly code.
markrad	0:cdf462088d13	271	Found by Kurt Danielson. #292
markrad	0:cdf462088d13	272	* Fix typo in name of the extKeyUsage OID. Found by inestlerode, #314
markrad	0:cdf462088d13	273	* Fix bug in ASN.1 encoding of booleans that caused generated CA
markrad	0:cdf462088d13	274	certificates to be rejected by some applications, including OS X
markrad	0:cdf462088d13	275	Keychain. Found and fixed by Jonathan Leroy, Inikup.
markrad	0:cdf462088d13	276
markrad	0:cdf462088d13	277	Changes
markrad	0:cdf462088d13	278	* Improved performance of mbedtls_ecp_muladd() when one of the scalars is 1
markrad	0:cdf462088d13	279	or -1.
markrad	0:cdf462088d13	280
markrad	0:cdf462088d13	281	= mbed TLS 2.1.2 released 2015-10-06
markrad	0:cdf462088d13	282
markrad	0:cdf462088d13	283	Security
markrad	0:cdf462088d13	284	* Added fix for CVE-2015-5291 to prevent heap corruption due to buffer
markrad	0:cdf462088d13	285	overflow of the hostname or session ticket. Found by Guido Vranken,
markrad	0:cdf462088d13	286	Intelworks.
markrad	0:cdf462088d13	287	* Fix potential double-free if mbedtls_ssl_set_hs_psk() is called more than
markrad	0:cdf462088d13	288	once in the same handhake and mbedtls_ssl_conf_psk() was used.
markrad	0:cdf462088d13	289	Found and patch provided by Guido Vranken, Intelworks. Cannot be forced
markrad	0:cdf462088d13	290	remotely.
markrad	0:cdf462088d13	291	* Fix stack buffer overflow in pkcs12 decryption (used by
markrad	0:cdf462088d13	292	mbedtls_pk_parse_key(file)() when the password is > 129 bytes.
markrad	0:cdf462088d13	293	Found by Guido Vranken, Intelworks. Not triggerable remotely.
markrad	0:cdf462088d13	294	* Fix potential buffer overflow in mbedtls_mpi_read_string().
markrad	0:cdf462088d13	295	Found by Guido Vranken, Intelworks. Not exploitable remotely in the context
markrad	0:cdf462088d13	296	of TLS, but might be in other uses. On 32 bit machines, requires reading a
markrad	0:cdf462088d13	297	string of close to or larger than 1GB to exploit; on 64 bit machines, would
markrad	0:cdf462088d13	298	require reading a string of close to or larger than 2^62 bytes.
markrad	0:cdf462088d13	299	* Fix potential random memory allocation in mbedtls_pem_read_buffer()
markrad	0:cdf462088d13	300	on crafted PEM input data. Found and fix provided by Guido Vranken,
markrad	0:cdf462088d13	301	Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you
markrad	0:cdf462088d13	302	accept PEM data from an untrusted source.
markrad	0:cdf462088d13	303	* Fix possible heap buffer overflow in base64_encoded() when the input
markrad	0:cdf462088d13	304	buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken,
markrad	0:cdf462088d13	305	Intelworks. Not trigerrable remotely in TLS.
markrad	0:cdf462088d13	306	* Fix potential double-free if mbedtls_conf_psk() is called repeatedly on
markrad	0:cdf462088d13	307	the same mbedtls_ssl_config object and memory allocation fails. Found by
markrad	0:cdf462088d13	308	Guido Vranken, Intelworks. Cannot be forced remotely.
markrad	0:cdf462088d13	309	* Fix potential heap buffer overflow in servers that perform client
markrad	0:cdf462088d13	310	authentication against a crafted CA cert. Cannot be triggered remotely
markrad	0:cdf462088d13	311	unless you allow third parties to pick trust CAs for client auth.
markrad	0:cdf462088d13	312	Found by Guido Vranken, Intelworks.
markrad	0:cdf462088d13	313
markrad	0:cdf462088d13	314	Bugfix
markrad	0:cdf462088d13	315	* Fix compile error in net.c with musl libc. Found and patch provided by
markrad	0:cdf462088d13	316	zhasha (#278).
markrad	0:cdf462088d13	317	* Fix macroization of 'inline' keyword when building as C++. (#279)
markrad	0:cdf462088d13	318
markrad	0:cdf462088d13	319	Changes
markrad	0:cdf462088d13	320	* Added checking of hostname length in mbedtls_ssl_set_hostname() to ensure
markrad	0:cdf462088d13	321	domain names are compliant with RFC 1035.
markrad	0:cdf462088d13	322	* Fixed paths for check_config.h in example config files. (Found by bachp)
markrad	0:cdf462088d13	323	(#291)
markrad	0:cdf462088d13	324
markrad	0:cdf462088d13	325	= mbed TLS 2.1.1 released 2015-09-17
markrad	0:cdf462088d13	326
markrad	0:cdf462088d13	327	Security
markrad	0:cdf462088d13	328	* Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5
markrad	0:cdf462088d13	329	signatures. (Found by Florian Weimer, Red Hat.)
markrad	0:cdf462088d13	330	https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
markrad	0:cdf462088d13	331	* Fix possible client-side NULL pointer dereference (read) when the client
markrad	0:cdf462088d13	332	tries to continue the handshake after it failed (a misuse of the API).
markrad	0:cdf462088d13	333	(Found and patch provided by Fabian Foerg, Gotham Digital Science using
markrad	0:cdf462088d13	334	afl-fuzz.)
markrad	0:cdf462088d13	335
markrad	0:cdf462088d13	336	Bugfix
markrad	0:cdf462088d13	337	* Fix warning when using a 64bit platform. (found by embedthis) (#275)
markrad	0:cdf462088d13	338	* Fix off-by-one error in parsing Supported Point Format extension that
markrad	0:cdf462088d13	339	caused some handshakes to fail.
markrad	0:cdf462088d13	340
markrad	0:cdf462088d13	341	Changes
markrad	0:cdf462088d13	342	* Made X509 profile pointer const in mbedtls_ssl_conf_cert_profile() to allow
markrad	0:cdf462088d13	343	use of mbedtls_x509_crt_profile_next. (found by NWilson)
markrad	0:cdf462088d13	344	* When a client initiates a reconnect from the same port as a live
markrad	0:cdf462088d13	345	connection, if cookie verification is available
markrad	0:cdf462088d13	346	(MBEDTLS_SSL_DTLS_HELLO_VERIFY defined in config.h, and usable cookie
markrad	0:cdf462088d13	347	callbacks set with mbedtls_ssl_conf_dtls_cookies()), this will be
markrad	0:cdf462088d13	348	detected and mbedtls_ssl_read() will return
markrad	0:cdf462088d13	349	MBEDTLS_ERR_SSL_CLIENT_RECONNECT - it is then possible to start a new
markrad	0:cdf462088d13	350	handshake with the same context. (See RFC 6347 section 4.2.8.)
markrad	0:cdf462088d13	351
markrad	0:cdf462088d13	352	= mbed TLS 2.1.0 released 2015-09-04
markrad	0:cdf462088d13	353
markrad	0:cdf462088d13	354	Features
markrad	0:cdf462088d13	355	* Added support for yotta as a build system.
markrad	0:cdf462088d13	356	* Primary open source license changed to Apache 2.0 license.
markrad	0:cdf462088d13	357
markrad	0:cdf462088d13	358	Bugfix
markrad	0:cdf462088d13	359	* Fix segfault in the benchmark program when benchmarking DHM.
markrad	0:cdf462088d13	360	* Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo
markrad	0:cdf462088d13	361	Leisink).
markrad	0:cdf462088d13	362	* Fix bug when parsing a ServerHello without extensions (found by David
markrad	0:cdf462088d13	363	Sears).
markrad	0:cdf462088d13	364	* Fix bug in CMake lists that caused libmbedcrypto.a not to be installed
markrad	0:cdf462088d13	365	(found by Benoit Lecocq).
markrad	0:cdf462088d13	366	* Fix bug in Makefile that caused libmbedcrypto and libmbedx509 not to be
markrad	0:cdf462088d13	367	installed (found by Rawi666).
markrad	0:cdf462088d13	368	* Fix compile error with armcc 5 with --gnu option.
markrad	0:cdf462088d13	369	* Fix bug in Makefile that caused programs not to be installed correctly
markrad	0:cdf462088d13	370	(found by robotanarchy) (#232).
markrad	0:cdf462088d13	371	* Fix bug in Makefile that prevented from installing without building the
markrad	0:cdf462088d13	372	tests (found by robotanarchy) (#232).
markrad	0:cdf462088d13	373	* Fix missing -static-libgcc when building shared libraries for Windows
markrad	0:cdf462088d13	374	with make.
markrad	0:cdf462088d13	375	* Fix link error when building shared libraries for Windows with make.
markrad	0:cdf462088d13	376	* Fix error when loading libmbedtls.so.
markrad	0:cdf462088d13	377	* Fix bug in mbedtls_ssl_conf_default() that caused the default preset to
markrad	0:cdf462088d13	378	be always used (found by dcb314) (#235)
markrad	0:cdf462088d13	379	* Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could
markrad	0:cdf462088d13	380	result trying to unlock an unlocked mutex on invalid input (found by
markrad	0:cdf462088d13	381	Fredrik Axelsson) (#257)
markrad	0:cdf462088d13	382	* Fix -Wshadow warnings (found by hnrkp) (#240)
markrad	0:cdf462088d13	383	* Fix memory corruption on client with overlong PSK identity, around
markrad	0:cdf462088d13	384	SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by
markrad	0:cdf462088d13	385	Aleksandrs Saveljevs) (#238)
markrad	0:cdf462088d13	386	* Fix unused function warning when using MBEDTLS_MDx_ALT or
markrad	0:cdf462088d13	387	MBEDTLS_SHAxxx_ALT (found by Henrik) (#239)
markrad	0:cdf462088d13	388	* Fix memory corruption in pkey programs (found by yankuncheng) (#210)
markrad	0:cdf462088d13	389
markrad	0:cdf462088d13	390	Changes
markrad	0:cdf462088d13	391	* The PEM parser now accepts a trailing space at end of lines (#226).
markrad	0:cdf462088d13	392	* It is now possible to #include a user-provided configuration file at the
markrad	0:cdf462088d13	393	end of the default config.h by defining MBEDTLS_USER_CONFIG_FILE on the
markrad	0:cdf462088d13	394	compiler's command line.
markrad	0:cdf462088d13	395	* When verifying a certificate chain, if an intermediate certificate is
markrad	0:cdf462088d13	396	trusted, no later cert is checked. (suggested by hannes-landeholm)
markrad	0:cdf462088d13	397	(#220).
markrad	0:cdf462088d13	398	* Prepend a "thread identifier" to debug messages (issue pointed out by
markrad	0:cdf462088d13	399	Hugo Leisink) (#210).
markrad	0:cdf462088d13	400	* Add mbedtls_ssl_get_max_frag_len() to query the current maximum fragment
markrad	0:cdf462088d13	401	length.
markrad	0:cdf462088d13	402
markrad	0:cdf462088d13	403	= mbed TLS 2.0.0 released 2015-07-13
markrad	0:cdf462088d13	404
markrad	0:cdf462088d13	405	Features
markrad	0:cdf462088d13	406	* Support for DTLS 1.0 and 1.2 (RFC 6347).
markrad	0:cdf462088d13	407	* Ability to override core functions from MDx, SHAx, AES and DES modules
markrad	0:cdf462088d13	408	with custom implementation (eg hardware accelerated), complementing the
markrad	0:cdf462088d13	409	ability to override the whole module.
markrad	0:cdf462088d13	410	* New server-side implementation of session tickets that rotate keys to
markrad	0:cdf462088d13	411	preserve forward secrecy, and allows sharing across multiple contexts.
markrad	0:cdf462088d13	412	* Added a concept of X.509 cerificate verification profile that controls
markrad	0:cdf462088d13	413	which algorithms and key sizes (curves for ECDSA) are acceptable.
markrad	0:cdf462088d13	414	* Expanded configurability of security parameters in the SSL module with
markrad	0:cdf462088d13	415	mbedtls_ssl_conf_dhm_min_bitlen() and mbedtls_ssl_conf_sig_hashes().
markrad	0:cdf462088d13	416	* Introduced a concept of presets for SSL security-relevant configuration
markrad	0:cdf462088d13	417	parameters.
markrad	0:cdf462088d13	418
markrad	0:cdf462088d13	419	API Changes
markrad	0:cdf462088d13	420	* The library has been split into libmbedcrypto, libmbedx509, libmbedtls.
markrad	0:cdf462088d13	421	You now need to link to all of them if you use TLS for example.
markrad	0:cdf462088d13	422	* All public identifiers moved to the mbedtls_* or MBEDTLS_* namespace.
markrad	0:cdf462088d13	423	Some names have been further changed to make them more consistent.
markrad	0:cdf462088d13	424	Migration helpers scripts/rename.pl and include/mbedlts/compat-1.3.h are
markrad	0:cdf462088d13	425	provided. Full list of renamings in scripts/data_files/rename-1.3-2.0.txt
markrad	0:cdf462088d13	426	* Renamings of fields inside structures, not covered by the previous list:
markrad	0:cdf462088d13	427	mbedtls_cipher_info_t.key_length -> key_bitlen
markrad	0:cdf462088d13	428	mbedtls_cipher_context_t.key_length -> key_bitlen
markrad	0:cdf462088d13	429	mbedtls_ecp_curve_info.size -> bit_size
markrad	0:cdf462088d13	430	* Headers are now found in the 'mbedtls' directory (previously 'polarssl').
markrad	0:cdf462088d13	431	* The following _init() functions that could return errors have
markrad	0:cdf462088d13	432	been split into an _init() that returns void and another function that
markrad	0:cdf462088d13	433	should generally be the first function called on this context after init:
markrad	0:cdf462088d13	434	mbedtls_ssl_init() -> mbedtls_ssl_setup()
markrad	0:cdf462088d13	435	mbedtls_ccm_init() -> mbedtls_ccm_setkey()
markrad	0:cdf462088d13	436	mbedtls_gcm_init() -> mbedtls_gcm_setkey()
markrad	0:cdf462088d13	437	mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_seed(_buf)()
markrad	0:cdf462088d13	438	mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_seed()
markrad	0:cdf462088d13	439	Note that for mbedtls_ssl_setup(), you need to be done setting up the
markrad	0:cdf462088d13	440	ssl_config structure before calling it.
markrad	0:cdf462088d13	441	* Most ssl_set_xxx() functions (all except ssl_set_bio(), ssl_set_hostname(),
markrad	0:cdf462088d13	442	ssl_set_session() and ssl_set_client_transport_id(), plus
markrad	0:cdf462088d13	443	ssl_legacy_renegotiation()) have been renamed to mbedtls_ssl_conf_xxx()
markrad	0:cdf462088d13	444	(see rename.pl and compat-1.3.h above) and their first argument's type
markrad	0:cdf462088d13	445	changed from ssl_context to ssl_config.
markrad	0:cdf462088d13	446	* ssl_set_bio() changed signature (contexts merged, order switched, one
markrad	0:cdf462088d13	447	additional callback for read-with-timeout).
markrad	0:cdf462088d13	448	* The following functions have been introduced and must be used in callback
markrad	0:cdf462088d13	449	implementations (SNI, PSK) instead of their *conf counterparts:
markrad	0:cdf462088d13	450	mbedtls_ssl_set_hs_own_cert()
markrad	0:cdf462088d13	451	mbedtls_ssl_set_hs_ca_chain()
markrad	0:cdf462088d13	452	mbedtls_ssl_set_hs_psk()
markrad	0:cdf462088d13	453	* mbedtls_ssl_conf_ca_chain() lost its last argument (peer_cn), now set
markrad	0:cdf462088d13	454	using mbedtls_ssl_set_hostname().
markrad	0:cdf462088d13	455	* mbedtls_ssl_conf_session_cache() changed prototype (only one context
markrad	0:cdf462088d13	456	pointer, parameters reordered).
markrad	0:cdf462088d13	457	* On server, mbedtls_ssl_conf_session_tickets_cb() must now be used in
markrad	0:cdf462088d13	458	place of mbedtls_ssl_conf_session_tickets() to enable session tickets.
markrad	0:cdf462088d13	459	* The SSL debug callback gained two new arguments (file name, line number).
markrad	0:cdf462088d13	460	* Debug modes were removed.
markrad	0:cdf462088d13	461	* mbedtls_ssl_conf_truncated_hmac() now returns void.
markrad	0:cdf462088d13	462	* mbedtls_memory_buffer_alloc_init() now returns void.
markrad	0:cdf462088d13	463	* X.509 verification flags are now an uint32_t. Affect the signature of:
markrad	0:cdf462088d13	464	mbedtls_ssl_get_verify_result()
markrad	0:cdf462088d13	465	mbedtls_x509_ctr_verify_info()
markrad	0:cdf462088d13	466	mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be updated)
markrad	0:cdf462088d13	467	mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
markrad	0:cdf462088d13	468	* The following functions changed prototype to avoid an in-out length
markrad	0:cdf462088d13	469	parameter:
markrad	0:cdf462088d13	470	mbedtls_base64_encode()
markrad	0:cdf462088d13	471	mbedtls_base64_decode()
markrad	0:cdf462088d13	472	mbedtls_mpi_write_string()
markrad	0:cdf462088d13	473	mbedtls_dhm_calc_secret()
markrad	0:cdf462088d13	474	* In the NET module, all "int" and "int *" arguments for file descriptors
markrad	0:cdf462088d13	475	changed type to "mbedtls_net_context *".
markrad	0:cdf462088d13	476	* net_accept() gained new arguments for the size of the client_ip buffer.
markrad	0:cdf462088d13	477	* In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now
markrad	0:cdf462088d13	478	return void.
markrad	0:cdf462088d13	479	* ecdsa_write_signature() gained an addtional md_alg argument and
markrad	0:cdf462088d13	480	ecdsa_write_signature_det() was deprecated.
markrad	0:cdf462088d13	481	* pk_sign() no longer accepts md_alg == POLARSSL_MD_NONE with ECDSA.
markrad	0:cdf462088d13	482	* Last argument of x509_crt_check_key_usage() and
markrad	0:cdf462088d13	483	mbedtls_x509write_crt_set_key_usage() changed from int to unsigned.
markrad	0:cdf462088d13	484	* test_ca_list (from certs.h) is renamed to test_cas_pem and is only
markrad	0:cdf462088d13	485	available if POLARSSL_PEM_PARSE_C is defined (it never worked without).
markrad	0:cdf462088d13	486	* Test certificates in certs.c are no longer guaranteed to be nul-terminated
markrad	0:cdf462088d13	487	strings; use the new *_len variables instead of strlen().
markrad	0:cdf462088d13	488	* Functions mbedtls_x509_xxx_parse(), mbedtls_pk_parse_key(),
markrad	0:cdf462088d13	489	mbedtls_pk_parse_public_key() and mbedtls_dhm_parse_dhm() now expect the
markrad	0:cdf462088d13	490	length parameter to include the terminating null byte for PEM input.
markrad	0:cdf462088d13	491	* Signature of mpi_mul_mpi() changed to make the last argument unsigned
markrad	0:cdf462088d13	492	* calloc() is now used instead of malloc() everywhere. API of platform
markrad	0:cdf462088d13	493	layer and the memory_buffer_alloc module changed accordingly.
markrad	0:cdf462088d13	494	(Thanks to Mansour Moufid for helping with the replacement.)
markrad	0:cdf462088d13	495	* Change SSL_DISABLE_RENEGOTIATION config.h flag to SSL_RENEGOTIATION
markrad	0:cdf462088d13	496	(support for renegotiation now needs explicit enabling in config.h).
markrad	0:cdf462088d13	497	* Split MBEDTLS_HAVE_TIME into MBEDTLS_HAVE_TIME and MBEDTLS_HAVE_TIME_DATE
markrad	0:cdf462088d13	498	in config.h
markrad	0:cdf462088d13	499	* net_connect() and net_bind() have a new 'proto' argument to choose
markrad	0:cdf462088d13	500	between TCP and UDP, using the macros NET_PROTO_TCP or NET_PROTO_UDP.
markrad	0:cdf462088d13	501	Their 'port' argument type is changed to a string.
markrad	0:cdf462088d13	502	* Some constness fixes
markrad	0:cdf462088d13	503
markrad	0:cdf462088d13	504	Removals
markrad	0:cdf462088d13	505	* Removed mbedtls_ecp_group_read_string(). Only named groups are supported.
markrad	0:cdf462088d13	506	* Removed mbedtls_ecp_sub() and mbedtls_ecp_add(), use
markrad	0:cdf462088d13	507	mbedtls_ecp_muladd().
markrad	0:cdf462088d13	508	* Removed individual mdX_hmac, shaX_hmac, mdX_file and shaX_file functions
markrad	0:cdf462088d13	509	(use generic functions from md.h)
markrad	0:cdf462088d13	510	* Removed mbedtls_timing_msleep(). Use mbedtls_net_usleep() or a custom
markrad	0:cdf462088d13	511	waiting function.
markrad	0:cdf462088d13	512	* Removed test DHM parameters from the test certs module.
markrad	0:cdf462088d13	513	* Removed the PBKDF2 module (use PKCS5).
markrad	0:cdf462088d13	514	* Removed POLARSSL_ERROR_STRERROR_BC (use mbedtls_strerror()).
markrad	0:cdf462088d13	515	* Removed compat-1.2.h (helper for migrating from 1.2 to 1.3).
markrad	0:cdf462088d13	516	* Removed openssl.h (very partial OpenSSL compatibility layer).
markrad	0:cdf462088d13	517	* Configuration options POLARSSL_HAVE_LONGLONG was removed (now always on).
markrad	0:cdf462088d13	518	* Configuration options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 have
markrad	0:cdf462088d13	519	been removed (compiler is required to support 32-bit operations).
markrad	0:cdf462088d13	520	* Configuration option POLARSSL_HAVE_IPV6 was removed (always enabled).
markrad	0:cdf462088d13	521	* Removed test program o_p_test, the script compat.sh does more.
markrad	0:cdf462088d13	522	* Removed test program ssl_test, superseded by ssl-opt.sh.
markrad	0:cdf462088d13	523	* Removed helper script active-config.pl
markrad	0:cdf462088d13	524
markrad	0:cdf462088d13	525	New deprecations
markrad	0:cdf462088d13	526	* md_init_ctx() is deprecated in favour of md_setup(), that adds a third
markrad	0:cdf462088d13	527	argument (allowing memory savings if HMAC is not used)
markrad	0:cdf462088d13	528
markrad	0:cdf462088d13	529	Semi-API changes (technically public, morally private)
markrad	0:cdf462088d13	530	* Renamed a few headers to include _internal in the name. Those headers are
markrad	0:cdf462088d13	531	not supposed to be included by users.
markrad	0:cdf462088d13	532	* Changed md_info_t into an opaque structure (use md_get_xxx() accessors).
markrad	0:cdf462088d13	533	* Changed pk_info_t into an opaque structure.
markrad	0:cdf462088d13	534	* Changed cipher_base_t into an opaque structure.
markrad	0:cdf462088d13	535	* Removed sig_oid2 and rename sig_oid1 to sig_oid in x509_crt and x509_crl.
markrad	0:cdf462088d13	536	* x509_crt.key_usage changed from unsigned char to unsigned int.
markrad	0:cdf462088d13	537	* Removed r and s from ecdsa_context
markrad	0:cdf462088d13	538	* Removed mode from des_context and des3_context
markrad	0:cdf462088d13	539
markrad	0:cdf462088d13	540	Default behavior changes
markrad	0:cdf462088d13	541	* The default minimum TLS version is now TLS 1.0.
markrad	0:cdf462088d13	542	* RC4 is now blacklisted by default in the SSL/TLS layer, and excluded from the
markrad	0:cdf462088d13	543	default ciphersuite list returned by ssl_list_ciphersuites()
markrad	0:cdf462088d13	544	* Support for receiving SSLv2 ClientHello is now disabled by default at
markrad	0:cdf462088d13	545	compile time.
markrad	0:cdf462088d13	546	* The default authmode for SSL/TLS clients is now REQUIRED.
markrad	0:cdf462088d13	547	* Support for RSA_ALT contexts in the PK layer is now optional. Since is is
markrad	0:cdf462088d13	548	enabled in the default configuration, this is only noticeable if using a
markrad	0:cdf462088d13	549	custom config.h
markrad	0:cdf462088d13	550	* Default DHM parameters server-side upgraded from 1024 to 2048 bits.
markrad	0:cdf462088d13	551	* A minimum RSA key size of 2048 bits is now enforced during ceritificate
markrad	0:cdf462088d13	552	chain verification.
markrad	0:cdf462088d13	553	* Negotiation of truncated HMAC is now disabled by default on server too.
markrad	0:cdf462088d13	554	* The following functions are now case-sensitive:
markrad	0:cdf462088d13	555	mbedtls_cipher_info_from_string()
markrad	0:cdf462088d13	556	mbedtls_ecp_curve_info_from_name()
markrad	0:cdf462088d13	557	mbedtls_md_info_from_string()
markrad	0:cdf462088d13	558	mbedtls_ssl_ciphersuite_from_string()
markrad	0:cdf462088d13	559	mbedtls_version_check_feature()
markrad	0:cdf462088d13	560
markrad	0:cdf462088d13	561	Requirement changes
markrad	0:cdf462088d13	562	* The minimum MSVC version required is now 2010 (better C99 support).
markrad	0:cdf462088d13	563	* The NET layer now unconditionnaly relies on getaddrinfo() and select().
markrad	0:cdf462088d13	564	* Compiler is required to support C99 types such as long long and uint32_t.
markrad	0:cdf462088d13	565
markrad	0:cdf462088d13	566	API changes from the 1.4 preview branch
markrad	0:cdf462088d13	567	* ssl_set_bio_timeout() was removed, split into mbedtls_ssl_set_bio() with
markrad	0:cdf462088d13	568	new prototype, and mbedtls_ssl_set_read_timeout().
markrad	0:cdf462088d13	569	* The following functions now return void:
markrad	0:cdf462088d13	570	mbedtls_ssl_conf_transport()
markrad	0:cdf462088d13	571	mbedtls_ssl_conf_max_version()
markrad	0:cdf462088d13	572	mbedtls_ssl_conf_min_version()
markrad	0:cdf462088d13	573	* DTLS no longer hard-depends on TIMING_C, but uses a callback interface
markrad	0:cdf462088d13	574	instead, see mbedtls_ssl_set_timer_cb(), with the Timing module providing
markrad	0:cdf462088d13	575	an example implementation, see mbedtls_timing_delay_context and
markrad	0:cdf462088d13	576	mbedtls_timing_set/get_delay().
markrad	0:cdf462088d13	577	* With UDP sockets, it is no longer necessary to call net_bind() again
markrad	0:cdf462088d13	578	after a successful net_accept().
markrad	0:cdf462088d13	579
markrad	0:cdf462088d13	580	Changes
markrad	0:cdf462088d13	581	* mbedtls_ctr_drbg_random() and mbedtls_hmac_drbg_random() are now
markrad	0:cdf462088d13	582	thread-safe if MBEDTLS_THREADING_C is enabled.
markrad	0:cdf462088d13	583	* Reduced ROM fooprint of SHA-256 and added an option to reduce it even
markrad	0:cdf462088d13	584	more (at the expense of performance) MBEDTLS_SHA256_SMALLER.
markrad	0:cdf462088d13	585
markrad	0:cdf462088d13	586	= mbed TLS 1.3 branch
markrad	0:cdf462088d13	587
markrad	0:cdf462088d13	588	Security
markrad	0:cdf462088d13	589	* With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and
markrad	0:cdf462088d13	590	extendedKeyUsage on the leaf certificate was lost (results not accessible
markrad	0:cdf462088d13	591	via ssl_get_verify_results()).
markrad	0:cdf462088d13	592	* Add countermeasure against "Lucky 13 strikes back" cache-based attack,
markrad	0:cdf462088d13	593	https://dl.acm.org/citation.cfm?id=2714625
markrad	0:cdf462088d13	594
markrad	0:cdf462088d13	595	Features
markrad	0:cdf462088d13	596	* Improve ECC performance by using more efficient doubling formulas
markrad	0:cdf462088d13	597	(contributed by Peter Dettman).
markrad	0:cdf462088d13	598	* Add x509_crt_verify_info() to display certificate verification results.
markrad	0:cdf462088d13	599	* Add support for reading DH parameters with privateValueLength included
markrad	0:cdf462088d13	600	(contributed by Daniel Kahn Gillmor).
markrad	0:cdf462088d13	601	* Add support for bit strings in X.509 names (request by Fredrik Axelsson).
markrad	0:cdf462088d13	602	* Add support for id-at-uniqueIdentifier in X.509 names.
markrad	0:cdf462088d13	603	* Add support for overriding snprintf() (except on Windows) and exit() in
markrad	0:cdf462088d13	604	the platform layer.
markrad	0:cdf462088d13	605	* Add an option to use macros instead of function pointers in the platform
markrad	0:cdf462088d13	606	layer (helps get rid of unwanted references).
markrad	0:cdf462088d13	607	* Improved Makefiles for Windows targets by fixing library targets and making
markrad	0:cdf462088d13	608	cross-compilation easier (thanks to Alon Bar-Lev).
markrad	0:cdf462088d13	609	* The benchmark program also prints heap usage for public-key primitives
markrad	0:cdf462088d13	610	if POLARSSL_MEMORY_BUFFER_ALLOC_C and POLARSSL_MEMORY_DEBUG are defined.
markrad	0:cdf462088d13	611	* New script ecc-heap.sh helps measuring the impact of ECC parameters on
markrad	0:cdf462088d13	612	speed and RAM (heap only for now) usage.
markrad	0:cdf462088d13	613	* New script memory.sh helps measuring the ROM and RAM requirements of two
markrad	0:cdf462088d13	614	reduced configurations (PSK-CCM and NSA suite B).
markrad	0:cdf462088d13	615	* Add config flag POLARSSL_DEPRECATED_WARNING (off by default) to produce
markrad	0:cdf462088d13	616	warnings on use of deprecated functions (with GCC and Clang only).
markrad	0:cdf462088d13	617	* Add config flag POLARSSL_DEPRECATED_REMOVED (off by default) to produce
markrad	0:cdf462088d13	618	errors on use of deprecated functions.
markrad	0:cdf462088d13	619
markrad	0:cdf462088d13	620	Bugfix
markrad	0:cdf462088d13	621	* Fix compile errors with PLATFORM_NO_STD_FUNCTIONS.
markrad	0:cdf462088d13	622	* Fix compile error with PLATFORM_EXIT_ALT (thanks to Rafał Przywara).
markrad	0:cdf462088d13	623	* Fix bug in entropy.c when THREADING_C is also enabled that caused
markrad	0:cdf462088d13	624	entropy_free() to crash (thanks to Rafał Przywara).
markrad	0:cdf462088d13	625	* Fix memory leak when gcm_setkey() and ccm_setkey() are used more than
markrad	0:cdf462088d13	626	once on the same context.
markrad	0:cdf462088d13	627	* Fix bug in ssl_mail_client when password is longer that username (found
markrad	0:cdf462088d13	628	by Bruno Pape).
markrad	0:cdf462088d13	629	* Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules
markrad	0:cdf462088d13	630	(detected by Clang's 3.6 UBSan).
markrad	0:cdf462088d13	631	* mpi_size() and mpi_msb() would segfault when called on an mpi that is
markrad	0:cdf462088d13	632	initialized but not set (found by pravic).
markrad	0:cdf462088d13	633	* Fix detection of support for getrandom() on Linux (reported by syzzer) by
markrad	0:cdf462088d13	634	doing it at runtime (using uname) rather that compile time.
markrad	0:cdf462088d13	635	* Fix handling of symlinks by "make install" (found by Gaël PORTAY).
markrad	0:cdf462088d13	636	* Fix potential NULL pointer dereference (not trigerrable remotely) when
markrad	0:cdf462088d13	637	ssl_write() is called before the handshake is finished (introduced in
markrad	0:cdf462088d13	638	1.3.10) (first reported by Martin Blumenstingl).
markrad	0:cdf462088d13	639	* Fix bug in pk_parse_key() that caused some valid private EC keys to be
markrad	0:cdf462088d13	640	rejected.
markrad	0:cdf462088d13	641	* Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
markrad	0:cdf462088d13	642	* Fix thread safety bug in RSA operations (found by Fredrik Axelsson).
markrad	0:cdf462088d13	643	* Fix hardclock() (only used in the benchmarking program) with some
markrad	0:cdf462088d13	644	versions of mingw64 (found by kxjhlele).
markrad	0:cdf462088d13	645	* Fix warnings from mingw64 in timing.c (found by kxjklele).
markrad	0:cdf462088d13	646	* Fix potential unintended sign extension in asn1_get_len() on 64-bit
markrad	0:cdf462088d13	647	platforms.
markrad	0:cdf462088d13	648	* Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid).
markrad	0:cdf462088d13	649	* Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and
markrad	0:cdf462088d13	650	POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced
markrad	0:cdf462088d13	651	in 1.3.10).
markrad	0:cdf462088d13	652	* Add missing extern "C" guard in aesni.h (reported by amir zamani).
markrad	0:cdf462088d13	653	* Add missing dependency on SHA-256 in some x509 programs (reported by
markrad	0:cdf462088d13	654	Gergely Budai).
markrad	0:cdf462088d13	655	* Fix bug related to ssl_set_curves(): the client didn't check that the
markrad	0:cdf462088d13	656	curve picked by the server was actually allowed.
markrad	0:cdf462088d13	657
markrad	0:cdf462088d13	658	Changes
markrad	0:cdf462088d13	659	* Remove bias in mpi_gen_prime (contributed by Pascal Junod).
markrad	0:cdf462088d13	660	* Remove potential sources of timing variations (some contributed by Pascal
markrad	0:cdf462088d13	661	Junod).
markrad	0:cdf462088d13	662	* Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated.
markrad	0:cdf462088d13	663	* Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated.
markrad	0:cdf462088d13	664	* compat-1.2.h and openssl.h are deprecated.
markrad	0:cdf462088d13	665	* Adjusting/overriding CFLAGS and LDFLAGS with the make build system is now
markrad	0:cdf462088d13	666	more flexible (warning: OFLAGS is not used any more) (see the README)
markrad	0:cdf462088d13	667	(contributed by Alon Bar-Lev).
markrad	0:cdf462088d13	668	* ssl_set_own_cert() no longer calls pk_check_pair() since the
markrad	0:cdf462088d13	669	performance impact was bad for some users (this was introduced in 1.3.10).
markrad	0:cdf462088d13	670	* Move from SHA-1 to SHA-256 in example programs using signatures
markrad	0:cdf462088d13	671	(suggested by Thorsten Mühlfelder).
markrad	0:cdf462088d13	672	* Remove some unneeded inclusions of header files from the standard library
markrad	0:cdf462088d13	673	"minimize" others (eg use stddef.h if only size_t is needed).
markrad	0:cdf462088d13	674	* Change #include lines in test files to use double quotes instead of angle
markrad	0:cdf462088d13	675	brackets for uniformity with the rest of the code.
markrad	0:cdf462088d13	676	* Remove dependency on sscanf() in X.509 parsing modules.
markrad	0:cdf462088d13	677
markrad	0:cdf462088d13	678	= mbed TLS 1.3.10 released 2015-02-09
markrad	0:cdf462088d13	679	Security
markrad	0:cdf462088d13	680	* NULL pointer dereference in the buffer-based allocator when the buffer is
markrad	0:cdf462088d13	681	full and polarssl_free() is called (found by Mark Hasemeyer)
markrad	0:cdf462088d13	682	(only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is
markrad	0:cdf462088d13	683	not by default).
markrad	0:cdf462088d13	684	* Fix remotely-triggerable uninitialised pointer dereference caused by
markrad	0:cdf462088d13	685	crafted X.509 certificate (TLS server is not affected if it doesn't ask for a
markrad	0:cdf462088d13	686	client certificate) (found using Codenomicon Defensics).
markrad	0:cdf462088d13	687	* Fix remotely-triggerable memory leak caused by crafted X.509 certificates
markrad	0:cdf462088d13	688	(TLS server is not affected if it doesn't ask for a client certificate)
markrad	0:cdf462088d13	689	(found using Codenomicon Defensics).
markrad	0:cdf462088d13	690	* Fix potential stack overflow while parsing crafted X.509 certificates
markrad	0:cdf462088d13	691	(TLS server is not affected if it doesn't ask for a client certificate)
markrad	0:cdf462088d13	692	(found using Codenomicon Defensics).
markrad	0:cdf462088d13	693	* Fix timing difference that could theoretically lead to a
markrad	0:cdf462088d13	694	Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges
markrad	0:cdf462088d13	695	(reported by Sebastian Schinzel).
markrad	0:cdf462088d13	696
markrad	0:cdf462088d13	697	Features
markrad	0:cdf462088d13	698	* Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv).
markrad	0:cdf462088d13	699	* Add support for Extended Master Secret (draft-ietf-tls-session-hash).
markrad	0:cdf462088d13	700	* Add support for Encrypt-then-MAC (RFC 7366).
markrad	0:cdf462088d13	701	* Add function pk_check_pair() to test if public and private keys match.
markrad	0:cdf462088d13	702	* Add x509_crl_parse_der().
markrad	0:cdf462088d13	703	* Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
markrad	0:cdf462088d13	704	length of an X.509 verification chain.
markrad	0:cdf462088d13	705	* Support for renegotiation can now be disabled at compile-time
markrad	0:cdf462088d13	706	* Support for 1/n-1 record splitting, a countermeasure against BEAST.
markrad	0:cdf462088d13	707	* Certificate selection based on signature hash, preferring SHA-1 over SHA-2
markrad	0:cdf462088d13	708	for pre-1.2 clients when multiple certificates are available.
markrad	0:cdf462088d13	709	* Add support for getrandom() syscall on recent Linux kernels with Glibc or
markrad	0:cdf462088d13	710	a compatible enough libc (eg uClibc).
markrad	0:cdf462088d13	711	* Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime
markrad	0:cdf462088d13	712	while using the default ciphersuite list.
markrad	0:cdf462088d13	713	* Added new error codes and debug messages about selection of
markrad	0:cdf462088d13	714	ciphersuite/certificate.
markrad	0:cdf462088d13	715
markrad	0:cdf462088d13	716	Bugfix
markrad	0:cdf462088d13	717	* Stack buffer overflow if ctr_drbg_update() is called with too large
markrad	0:cdf462088d13	718	add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
markrad	0:cdf462088d13	719	* Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE
markrad	0:cdf462088d13	720	if memory_buffer_alloc_init() was called with buf not aligned and len not
markrad	0:cdf462088d13	721	a multiple of POLARSSL_MEMORY_ALIGN_MULTIPLE (not triggerable remotely).
markrad	0:cdf462088d13	722	* User set CFLAGS were ignored by Cmake with gcc (introduced in 1.3.9, found
markrad	0:cdf462088d13	723	by Julian Ospald).
markrad	0:cdf462088d13	724	* Fix potential undefined behaviour in Camellia.
markrad	0:cdf462088d13	725	* Fix potential failure in ECDSA signatures when POLARSSL_ECP_MAX_BITS is a
markrad	0:cdf462088d13	726	multiple of 8 (found by Gergely Budai).
markrad	0:cdf462088d13	727	* Fix unchecked return code in x509_crt_parse_path() on Windows (found by
markrad	0:cdf462088d13	728	Peter Vaskovic).
markrad	0:cdf462088d13	729	* Fix assembly selection for MIPS64 (thanks to James Cowgill).
markrad	0:cdf462088d13	730	* ssl_get_verify_result() now works even if the handshake was aborted due
markrad	0:cdf462088d13	731	to a failed verification (found by Fredrik Axelsson).
markrad	0:cdf462088d13	732	* Skip writing and parsing signature_algorithm extension if none of the
markrad	0:cdf462088d13	733	key exchanges enabled needs certificates. This fixes a possible interop
markrad	0:cdf462088d13	734	issue with some servers when a zero-length extension was sent. (Reported
markrad	0:cdf462088d13	735	by Peter Dettman.)
markrad	0:cdf462088d13	736	* On a 0-length input, base64_encode() did not correctly set output length
markrad	0:cdf462088d13	737	(found by Hendrik van den Boogaard).
markrad	0:cdf462088d13	738
markrad	0:cdf462088d13	739	Changes
markrad	0:cdf462088d13	740	* Use deterministic nonces for AEAD ciphers in TLS by default (possible to
markrad	0:cdf462088d13	741	switch back to random with POLARSSL_SSL_AEAD_RANDOM_IV in config.h).
markrad	0:cdf462088d13	742	* Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
markrad	0:cdf462088d13	743	* ssl_set_own_cert() now returns an error on key-certificate mismatch.
markrad	0:cdf462088d13	744	* Forbid repeated extensions in X.509 certificates.
markrad	0:cdf462088d13	745	* debug_print_buf() now prints a text view in addition to hexadecimal.
markrad	0:cdf462088d13	746	* A specific error is now returned when there are ciphersuites in common
markrad	0:cdf462088d13	747	but none of them is usable due to external factors such as no certificate
markrad	0:cdf462088d13	748	with a suitable (extended)KeyUsage or curve or no PSK set.
markrad	0:cdf462088d13	749	* It is now possible to disable negotiation of truncated HMAC server-side
markrad	0:cdf462088d13	750	at runtime with ssl_set_truncated_hmac().
markrad	0:cdf462088d13	751	* Example programs for SSL client and server now disable SSLv3 by default.
markrad	0:cdf462088d13	752	* Example programs for SSL client and server now disable RC4 by default.
markrad	0:cdf462088d13	753	* Use platform.h in all test suites and programs.
markrad	0:cdf462088d13	754
markrad	0:cdf462088d13	755	= PolarSSL 1.3.9 released 2014-10-20
markrad	0:cdf462088d13	756	Security
markrad	0:cdf462088d13	757	* Lowest common hash was selected from signature_algorithms extension in
markrad	0:cdf462088d13	758	TLS 1.2 (found by Darren Bane) (introduced in 1.3.8).
markrad	0:cdf462088d13	759	* Remotely-triggerable memory leak when parsing some X.509 certificates
markrad	0:cdf462088d13	760	(server is not affected if it doesn't ask for a client certificate)
markrad	0:cdf462088d13	761	(found using Codenomicon Defensics).
markrad	0:cdf462088d13	762	* Remotely-triggerable memory leak when parsing crafted ClientHello
markrad	0:cdf462088d13	763	(not affected if ECC support was compiled out) (found using Codenomicon
markrad	0:cdf462088d13	764	Defensics).
markrad	0:cdf462088d13	765
markrad	0:cdf462088d13	766	Bugfix
markrad	0:cdf462088d13	767	* Support escaping of commas in x509_string_to_names()
markrad	0:cdf462088d13	768	* Fix compile error in ssl_pthread_server (found by Julian Ospald).
markrad	0:cdf462088d13	769	* Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
markrad	0:cdf462088d13	770	* Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
markrad	0:cdf462088d13	771	* Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
markrad	0:cdf462088d13	772	* Fix compile error in timing.c when POLARSSL_NET_C and POLARSSL_SELFTEST
markrad	0:cdf462088d13	773	are defined but not POLARSSL_HAVE_TIME (found by Stephane Di Vito).
markrad	0:cdf462088d13	774	* Remove non-existent file from VS projects (found by Peter Vaskovic).
markrad	0:cdf462088d13	775	* ssl_read() could return non-application data records on server while
markrad	0:cdf462088d13	776	renegotation was pending, and on client when a HelloRequest was received.
markrad	0:cdf462088d13	777	* Server-initiated renegotiation would fail with non-blocking I/O if the
markrad	0:cdf462088d13	778	write callback returned WANT_WRITE when requesting renegotiation.
markrad	0:cdf462088d13	779	* ssl_close_notify() could send more than one message in some circumstances
markrad	0:cdf462088d13	780	with non-blocking I/O.
markrad	0:cdf462088d13	781	* Fix compiler warnings on iOS (found by Sander Niemeijer).
markrad	0:cdf462088d13	782	* x509_crt_parse() did not increase total_failed on PEM error
markrad	0:cdf462088d13	783	* Fix compile error with armcc in mpi_is_prime()
markrad	0:cdf462088d13	784	* Fix potential bad read in parsing ServerHello (found by Adrien
markrad	0:cdf462088d13	785	Vialletelle).
markrad	0:cdf462088d13	786
markrad	0:cdf462088d13	787	Changes
markrad	0:cdf462088d13	788	* Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
markrad	0:cdf462088d13	789	standard defining how to use SHA-2 with SSL 3.0).
markrad	0:cdf462088d13	790	* Ciphersuites using RSA-PSK key exchange new require TLS 1.x (the spec is
markrad	0:cdf462088d13	791	ambiguous on how to encode some packets with SSL 3.0).
markrad	0:cdf462088d13	792	* Made buffer size in pk_write_(pub)key_pem() more dynamic, eg smaller if
markrad	0:cdf462088d13	793	RSA is disabled, larger if POLARSSL_MPI_MAX_SIZE is larger.
markrad	0:cdf462088d13	794	* ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than
markrad	0:cdf462088d13	795	POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
markrad	0:cdf462088d13	796	* POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits
markrad	0:cdf462088d13	797	RSA keys.
markrad	0:cdf462088d13	798	* Accept spaces at end of line or end of buffer in base64_decode().
markrad	0:cdf462088d13	799	* X.509 certificates with more than one AttributeTypeAndValue per
markrad	0:cdf462088d13	800	RelativeDistinguishedName are not accepted any more.
markrad	0:cdf462088d13	801
markrad	0:cdf462088d13	802	= PolarSSL 1.3.8 released 2014-07-11
markrad	0:cdf462088d13	803	Security
markrad	0:cdf462088d13	804	* Fix length checking for AEAD ciphersuites (found by Codenomicon).
markrad	0:cdf462088d13	805	It was possible to crash the server (and client) using crafted messages
markrad	0:cdf462088d13	806	when a GCM suite was chosen.
markrad	0:cdf462088d13	807
markrad	0:cdf462088d13	808	Features
markrad	0:cdf462088d13	809	* Add CCM module and cipher mode to Cipher Layer
markrad	0:cdf462088d13	810	* Support for CCM and CCM_8 ciphersuites
markrad	0:cdf462088d13	811	* Support for parsing and verifying RSASSA-PSS signatures in the X.509
markrad	0:cdf462088d13	812	modules (certificates, CRLs and CSRs).
markrad	0:cdf462088d13	813	* Blowfish in the cipher layer now supports variable length keys.
markrad	0:cdf462088d13	814	* Add example config.h for PSK with CCM, optimized for low RAM usage.
markrad	0:cdf462088d13	815	* Optimize for RAM usage in example config.h for NSA Suite B profile.
markrad	0:cdf462088d13	816	* Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites
markrad	0:cdf462088d13	817	from the default list (inactive by default).
markrad	0:cdf462088d13	818	* Add server-side enforcement of sent renegotiation requests
markrad	0:cdf462088d13	819	(ssl_set_renegotiation_enforced())
markrad	0:cdf462088d13	820	* Add SSL_CIPHERSUITES config.h flag to allow specifying a list of
markrad	0:cdf462088d13	821	ciphersuites to use and save some memory if the list is small.
markrad	0:cdf462088d13	822
markrad	0:cdf462088d13	823	Changes
markrad	0:cdf462088d13	824	* Add LINK_WITH_PTHREAD option in CMake for explicit linking that is
markrad	0:cdf462088d13	825	required on some platforms (e.g. OpenBSD)
markrad	0:cdf462088d13	826	* Migrate zeroizing of data to polarssl_zeroize() instead of memset()
markrad	0:cdf462088d13	827	against unwanted compiler optimizations
markrad	0:cdf462088d13	828	* md_list() now returns hashes strongest first
markrad	0:cdf462088d13	829	* Selection of hash for signing ServerKeyExchange in TLS 1.2 now picks
markrad	0:cdf462088d13	830	strongest offered by client.
markrad	0:cdf462088d13	831	* All public contexts have _init() and _free() functions now for simpler
markrad	0:cdf462088d13	832	usage pattern
markrad	0:cdf462088d13	833
markrad	0:cdf462088d13	834	Bugfix
markrad	0:cdf462088d13	835	* Fix in debug_print_msg()
markrad	0:cdf462088d13	836	* Enforce alignment in the buffer allocator even if buffer is not aligned
markrad	0:cdf462088d13	837	* Remove less-than-zero checks on unsigned numbers
markrad	0:cdf462088d13	838	* Stricter check on SSL ClientHello internal sizes compared to actual packet
markrad	0:cdf462088d13	839	size (found by TrustInSoft)
markrad	0:cdf462088d13	840	* Fix WSAStartup() return value check (found by Peter Vaskovic)
markrad	0:cdf462088d13	841	* Other minor issues (found by Peter Vaskovic)
markrad	0:cdf462088d13	842	* Fix symlink command for cross compiling with CMake (found by Andre
markrad	0:cdf462088d13	843	Heinecke)
markrad	0:cdf462088d13	844	* Fix DER output of gen_key app (found by Gergely Budai)
markrad	0:cdf462088d13	845	* Very small records were incorrectly rejected when truncated HMAC was in
markrad	0:cdf462088d13	846	use with some ciphersuites and versions (RC4 in all versions, CBC with
markrad	0:cdf462088d13	847	versions < TLS 1.1).
markrad	0:cdf462088d13	848	* Very large records using more than 224 bytes of padding were incorrectly
markrad	0:cdf462088d13	849	rejected with CBC-based ciphersuites and TLS >= 1.1
markrad	0:cdf462088d13	850	* Very large records using less padding could cause a buffer overread of up
markrad	0:cdf462088d13	851	to 32 bytes with CBC-based ciphersuites and TLS >= 1.1
markrad	0:cdf462088d13	852	* Restore ability to use a v1 cert as a CA if trusted locally. (This had
markrad	0:cdf462088d13	853	been removed in 1.3.6.)
markrad	0:cdf462088d13	854	* Restore ability to locally trust a self-signed cert that is not a proper
markrad	0:cdf462088d13	855	CA for use as an end entity certificate. (This had been removed in
markrad	0:cdf462088d13	856	1.3.6.)
markrad	0:cdf462088d13	857	* Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
markrad	0:cdf462088d13	858	* Use \n\t rather than semicolons for bn_mul asm, since some assemblers
markrad	0:cdf462088d13	859	interpret semicolons as comment delimiters (found by Barry K. Nathan).
markrad	0:cdf462088d13	860	* Fix off-by-one error in parsing Supported Point Format extension that
markrad	0:cdf462088d13	861	caused some handshakes to fail.
markrad	0:cdf462088d13	862	* Fix possible miscomputation of the premaster secret with DHE-PSK key
markrad	0:cdf462088d13	863	exchange that caused some handshakes to fail with other implementations.
markrad	0:cdf462088d13	864	(Failure rate <= 1/255 with common DHM moduli.)
markrad	0:cdf462088d13	865	* Disable broken Sparc64 bn_mul assembly (found by Florian Obser).
markrad	0:cdf462088d13	866	* Fix base64_decode() to return and check length correctly (in case of
markrad	0:cdf462088d13	867	tight buffers)
markrad	0:cdf462088d13	868	* Fix mpi_write_string() to write "00" as hex output for empty MPI (found
markrad	0:cdf462088d13	869	by Hui Dong)
markrad	0:cdf462088d13	870
markrad	0:cdf462088d13	871	= PolarSSL 1.3.7 released on 2014-05-02
markrad	0:cdf462088d13	872	Features
markrad	0:cdf462088d13	873	* debug_set_log_mode() added to determine raw or full logging
markrad	0:cdf462088d13	874	* debug_set_threshold() added to ignore messages over threshold level
markrad	0:cdf462088d13	875	* version_check_feature() added to check for compile-time options at
markrad	0:cdf462088d13	876	run-time
markrad	0:cdf462088d13	877
markrad	0:cdf462088d13	878	Changes
markrad	0:cdf462088d13	879	* POLARSSL_CONFIG_OPTIONS has been removed. All values are individually
markrad	0:cdf462088d13	880	checked and filled in the relevant module headers
markrad	0:cdf462088d13	881	* Debug module only outputs full lines instead of parts
markrad	0:cdf462088d13	882	* Better support for the different Attribute Types from IETF PKIX (RFC 5280)
markrad	0:cdf462088d13	883	* AES-NI now compiles with "old" assemblers too
markrad	0:cdf462088d13	884	* Ciphersuites based on RC4 now have the lowest priority by default
markrad	0:cdf462088d13	885
markrad	0:cdf462088d13	886	Bugfix
markrad	0:cdf462088d13	887	* Only iterate over actual certificates in ssl_write_certificate_request()
markrad	0:cdf462088d13	888	(found by Matthew Page)
markrad	0:cdf462088d13	889	* Typos in platform.c and pkcs11.c (found by Daniel Phillips and Steffan
markrad	0:cdf462088d13	890	Karger)
markrad	0:cdf462088d13	891	* cert_write app should use subject of issuer certificate as issuer of cert
markrad	0:cdf462088d13	892	* Fix false reject in padding check in ssl_decrypt_buf() for CBC
markrad	0:cdf462088d13	893	ciphersuites, for full SSL frames of data.
markrad	0:cdf462088d13	894	* Improve interoperability by not writing extension length in ClientHello /
markrad	0:cdf462088d13	895	ServerHello when no extensions are present (found by Matthew Page)
markrad	0:cdf462088d13	896	* rsa_check_pubkey() now allows an E up to N
markrad	0:cdf462088d13	897	* On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
markrad	0:cdf462088d13	898	* mpi_fill_random() was creating numbers larger than requested on
markrad	0:cdf462088d13	899	big-endian platform when size was not an integer number of limbs
markrad	0:cdf462088d13	900	* Fix dependencies issues in X.509 test suite.
markrad	0:cdf462088d13	901	* Some parts of ssl_tls.c were compiled even when the module was disabled.
markrad	0:cdf462088d13	902	* Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
markrad	0:cdf462088d13	903	* Fix detection of Clang on some Apple platforms with CMake
markrad	0:cdf462088d13	904	(found by Barry K. Nathan)
markrad	0:cdf462088d13	905
markrad	0:cdf462088d13	906	= PolarSSL 1.3.6 released on 2014-04-11
markrad	0:cdf462088d13	907
markrad	0:cdf462088d13	908	Features
markrad	0:cdf462088d13	909	* Support for the ALPN SSL extension
markrad	0:cdf462088d13	910	* Add option 'use_dev_random' to gen_key application
markrad	0:cdf462088d13	911	* Enable verification of the keyUsage extension for CA and leaf
markrad	0:cdf462088d13	912	certificates (POLARSSL_X509_CHECK_KEY_USAGE)
markrad	0:cdf462088d13	913	* Enable verification of the extendedKeyUsage extension
markrad	0:cdf462088d13	914	(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
markrad	0:cdf462088d13	915
markrad	0:cdf462088d13	916	Changes
markrad	0:cdf462088d13	917	* x509_crt_info() now prints information about parsed extensions as well
markrad	0:cdf462088d13	918	* pk_verify() now returns a specific error code when the signature is valid
markrad	0:cdf462088d13	919	but shorter than the supplied length.
markrad	0:cdf462088d13	920	* Use UTC time to check certificate validity.
markrad	0:cdf462088d13	921	* Reject certificates with times not in UTC, per RFC 5280.
markrad	0:cdf462088d13	922
markrad	0:cdf462088d13	923	Security
markrad	0:cdf462088d13	924	* Avoid potential timing leak in ecdsa_sign() by blinding modular division.
markrad	0:cdf462088d13	925	(Found by Watson Ladd.)
markrad	0:cdf462088d13	926	* The notAfter date of some certificates was no longer checked since 1.3.5.
markrad	0:cdf462088d13	927	This affects certificates in the user-supplied chain except the top
markrad	0:cdf462088d13	928	certificate. If the user-supplied chain contains only one certificates,
markrad	0:cdf462088d13	929	it is not affected (ie, its notAfter date is properly checked).
markrad	0:cdf462088d13	930	* Prevent potential NULL pointer dereference in ssl_read_record() (found by
markrad	0:cdf462088d13	931	TrustInSoft)
markrad	0:cdf462088d13	932
markrad	0:cdf462088d13	933	Bugfix
markrad	0:cdf462088d13	934	* The length of various ClientKeyExchange messages was not properly checked.
markrad	0:cdf462088d13	935	* Some example server programs were not sending the close_notify alert.
markrad	0:cdf462088d13	936	* Potential memory leak in mpi_exp_mod() when error occurs during
markrad	0:cdf462088d13	937	calculation of RR.
markrad	0:cdf462088d13	938	* Fixed malloc/free default #define in platform.c (found by Gergely Budai).
markrad	0:cdf462088d13	939	* Fixed type which made POLARSSL_ENTROPY_FORCE_SHA256 uneffective (found by
markrad	0:cdf462088d13	940	Gergely Budai).
markrad	0:cdf462088d13	941	* Fix #include path in ecdsa.h which wasn't accepted by some compilers.
markrad	0:cdf462088d13	942	(found by Gergely Budai)
markrad	0:cdf462088d13	943	* Fix compile errors when POLARSSL_ERROR_STRERROR_BC is undefined (found by
markrad	0:cdf462088d13	944	Shuo Chen).
markrad	0:cdf462088d13	945	* oid_get_numeric_string() used to truncate the output without returning an
markrad	0:cdf462088d13	946	error if the output buffer was just 1 byte too small.
markrad	0:cdf462088d13	947	* dhm_parse_dhm() (hence dhm_parse_dhmfile()) did not set dhm->len.
markrad	0:cdf462088d13	948	* Calling pk_debug() on an RSA-alt key would segfault.
markrad	0:cdf462088d13	949	* pk_get_size() and pk_get_len() were off by a factor 8 for RSA-alt keys.
markrad	0:cdf462088d13	950	* Potential buffer overwrite in pem_write_buffer() because of low length
markrad	0:cdf462088d13	951	indication (found by Thijs Alkemade)
markrad	0:cdf462088d13	952	* EC curves constants, which should be only in ROM since 1.3.3, were also
markrad	0:cdf462088d13	953	stored in RAM due to missing 'const's (found by Gergely Budai).
markrad	0:cdf462088d13	954
markrad	0:cdf462088d13	955	= PolarSSL 1.3.5 released on 2014-03-26
markrad	0:cdf462088d13	956	Features
markrad	0:cdf462088d13	957	* HMAC-DRBG as a separate module
markrad	0:cdf462088d13	958	* Option to set the Curve preference order (disabled by default)
markrad	0:cdf462088d13	959	* Single Platform compatilibity layer (for memory / printf / fprintf)
markrad	0:cdf462088d13	960	* Ability to provide alternate timing implementation
markrad	0:cdf462088d13	961	* Ability to force the entropy module to use SHA-256 as its basis
markrad	0:cdf462088d13	962	(POLARSSL_ENTROPY_FORCE_SHA256)
markrad	0:cdf462088d13	963	* Testing script ssl-opt.sh added for testing 'live' ssl option
markrad	0:cdf462088d13	964	interoperability against OpenSSL and PolarSSL
markrad	0:cdf462088d13	965	* Support for reading EC keys that use SpecifiedECDomain in some cases.
markrad	0:cdf462088d13	966	* Entropy module now supports seed writing and reading
markrad	0:cdf462088d13	967
markrad	0:cdf462088d13	968	Changes
markrad	0:cdf462088d13	969	* Deprecated the Memory layer
markrad	0:cdf462088d13	970	* entropy_add_source(), entropy_update_manual() and entropy_gather()
markrad	0:cdf462088d13	971	now thread-safe if POLARSSL_THREADING_C defined
markrad	0:cdf462088d13	972	* Improvements to the CMake build system, contributed by Julian Ospald.
markrad	0:cdf462088d13	973	* Work around a bug of the version of Clang shipped by Apple with Mavericks
markrad	0:cdf462088d13	974	that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
markrad	0:cdf462088d13	975	* Revamped the compat.sh interoperatibility script to include support for
markrad	0:cdf462088d13	976	testing against GnuTLS
markrad	0:cdf462088d13	977	* Deprecated ssl_set_own_cert_rsa() and ssl_set_own_cert_rsa_alt()
markrad	0:cdf462088d13	978	* Improvements to tests/Makefile, contributed by Oden Eriksson.
markrad	0:cdf462088d13	979
markrad	0:cdf462088d13	980	Security
markrad	0:cdf462088d13	981	* Forbid change of server certificate during renegotiation to prevent
markrad	0:cdf462088d13	982	"triple handshake" attack when authentication mode is 'optional' (the
markrad	0:cdf462088d13	983	attack was already impossible when authentication is required).
markrad	0:cdf462088d13	984	* Check notBefore timestamp of certificates and CRLs from the future.
markrad	0:cdf462088d13	985	* Forbid sequence number wrapping
markrad	0:cdf462088d13	986	* Fixed possible buffer overflow with overlong PSK
markrad	0:cdf462088d13	987	* Possible remotely-triggered out-of-bounds memory access fixed (found by
markrad	0:cdf462088d13	988	TrustInSoft)
markrad	0:cdf462088d13	989
markrad	0:cdf462088d13	990	Bugfix
markrad	0:cdf462088d13	991	* ecp_gen_keypair() does more tries to prevent failure because of
markrad	0:cdf462088d13	992	statistics
markrad	0:cdf462088d13	993	* Fixed bug in RSA PKCS#1 v1.5 "reversed" operations
markrad	0:cdf462088d13	994	* Fixed testing with out-of-source builds using cmake
markrad	0:cdf462088d13	995	* Fixed version-major intolerance in server
markrad	0:cdf462088d13	996	* Fixed CMake symlinking on out-of-source builds
markrad	0:cdf462088d13	997	* Fixed dependency issues in test suite
markrad	0:cdf462088d13	998	* Programs rsa_sign_pss and rsa_verify_pss were not using PSS since 1.3.0
markrad	0:cdf462088d13	999	* Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
markrad	0:cdf462088d13	1000	Alex Wilson.)
markrad	0:cdf462088d13	1001	* ssl_cache was creating entries when max_entries=0 if TIMING_C was enabled.
markrad	0:cdf462088d13	1002	* m_sleep() was sleeping twice too long on most Unix platforms.
markrad	0:cdf462088d13	1003	* Fixed bug with session tickets and non-blocking I/O in the unlikely case
markrad	0:cdf462088d13	1004	send() would return an EAGAIN error when sending the ticket.
markrad	0:cdf462088d13	1005	* ssl_cache was leaking memory when reusing a timed out entry containing a
markrad	0:cdf462088d13	1006	client certificate.
markrad	0:cdf462088d13	1007	* ssl_srv was leaking memory when client presented a timed out ticket
markrad	0:cdf462088d13	1008	containing a client certificate
markrad	0:cdf462088d13	1009	* ssl_init() was leaving a dirty pointer in ssl_context if malloc of
markrad	0:cdf462088d13	1010	out_ctr failed
markrad	0:cdf462088d13	1011	* ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
markrad	0:cdf462088d13	1012	of one of them failed
markrad	0:cdf462088d13	1013	* Fix typo in rsa_copy() that impacted PKCS#1 v2 contexts
markrad	0:cdf462088d13	1014	* x509_get_current_time() uses localtime_r() to prevent thread issues
markrad	0:cdf462088d13	1015
markrad	0:cdf462088d13	1016	= PolarSSL 1.3.4 released on 2014-01-27
markrad	0:cdf462088d13	1017	Features
markrad	0:cdf462088d13	1018	* Support for the Koblitz curves: secp192k1, secp224k1, secp256k1
markrad	0:cdf462088d13	1019	* Support for RIPEMD-160
markrad	0:cdf462088d13	1020	* Support for AES CFB8 mode
markrad	0:cdf462088d13	1021	* Support for deterministic ECDSA (RFC 6979)
markrad	0:cdf462088d13	1022
markrad	0:cdf462088d13	1023	Bugfix
markrad	0:cdf462088d13	1024	* Potential memory leak in bignum_selftest()
markrad	0:cdf462088d13	1025	* Replaced expired test certificate
markrad	0:cdf462088d13	1026	* ssl_mail_client now terminates lines with CRLF, instead of LF
markrad	0:cdf462088d13	1027	* net module handles timeouts on blocking sockets better (found by Tilman
markrad	0:cdf462088d13	1028	Sauerbeck)
markrad	0:cdf462088d13	1029	* Assembly format fixes in bn_mul.h
markrad	0:cdf462088d13	1030
markrad	0:cdf462088d13	1031	Security
markrad	0:cdf462088d13	1032	* Missing MPI_CHK calls added around unguarded mpi calls (found by
markrad	0:cdf462088d13	1033	TrustInSoft)
markrad	0:cdf462088d13	1034
markrad	0:cdf462088d13	1035	= PolarSSL 1.3.3 released on 2013-12-31
markrad	0:cdf462088d13	1036	Features
markrad	0:cdf462088d13	1037	* EC key generation support in gen_key app
markrad	0:cdf462088d13	1038	* Support for adhering to client ciphersuite order preference
markrad	0:cdf462088d13	1039	(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
markrad	0:cdf462088d13	1040	* Support for Curve25519
markrad	0:cdf462088d13	1041	* Support for ECDH-RSA and ECDH-ECDSA key exchanges and ciphersuites
markrad	0:cdf462088d13	1042	* Support for IPv6 in the NET module
markrad	0:cdf462088d13	1043	* AES-NI support for AES, AES-GCM and AES key scheduling
markrad	0:cdf462088d13	1044	* SSL Pthread-based server example added (ssl_pthread_server)
markrad	0:cdf462088d13	1045
markrad	0:cdf462088d13	1046	Changes
markrad	0:cdf462088d13	1047	* gen_prime() speedup
markrad	0:cdf462088d13	1048	* Speedup of ECP multiplication operation
markrad	0:cdf462088d13	1049	* Relaxed some SHA2 ciphersuite's version requirements
markrad	0:cdf462088d13	1050	* Dropped use of readdir_r() instead of readdir() with threading support
markrad	0:cdf462088d13	1051	* More constant-time checks in the RSA module
markrad	0:cdf462088d13	1052	* Split off curves from ecp.c into ecp_curves.c
markrad	0:cdf462088d13	1053	* Curves are now stored fully in ROM
markrad	0:cdf462088d13	1054	* Memory usage optimizations in ECP module
markrad	0:cdf462088d13	1055	* Removed POLARSSL_THREADING_DUMMY
markrad	0:cdf462088d13	1056
markrad	0:cdf462088d13	1057	Bugfix
markrad	0:cdf462088d13	1058	* Fixed bug in mpi_set_bit() on platforms where t_uint is wider than int
markrad	0:cdf462088d13	1059	* Fixed X.509 hostname comparison (with non-regular characters)
markrad	0:cdf462088d13	1060	* SSL now gracefully handles missing RNG
markrad	0:cdf462088d13	1061	* Missing defines / cases for RSA_PSK key exchange
markrad	0:cdf462088d13	1062	* crypt_and_hash app checks MAC before final decryption
markrad	0:cdf462088d13	1063	* Potential memory leak in ssl_ticket_keys_init()
markrad	0:cdf462088d13	1064	* Memory leak in benchmark application
markrad	0:cdf462088d13	1065	* Fixed x509_crt_parse_path() bug on Windows platforms
markrad	0:cdf462088d13	1066	* Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
markrad	0:cdf462088d13	1067	TrustInSoft)
markrad	0:cdf462088d13	1068	* Fixed potential overflow in certificate size verification in
markrad	0:cdf462088d13	1069	ssl_write_certificate() (found by TrustInSoft)
markrad	0:cdf462088d13	1070
markrad	0:cdf462088d13	1071	Security
markrad	0:cdf462088d13	1072	* Possible remotely-triggered out-of-bounds memory access fixed (found by
markrad	0:cdf462088d13	1073	TrustInSoft)
markrad	0:cdf462088d13	1074
markrad	0:cdf462088d13	1075	= PolarSSL 1.3.2 released on 2013-11-04
markrad	0:cdf462088d13	1076	Features
markrad	0:cdf462088d13	1077	* PK tests added to test framework
markrad	0:cdf462088d13	1078	* Added optional optimization for NIST MODP curves (POLARSSL_ECP_NIST_OPTIM)
markrad	0:cdf462088d13	1079	* Support for Camellia-GCM mode and ciphersuites
markrad	0:cdf462088d13	1080
markrad	0:cdf462088d13	1081	Changes
markrad	0:cdf462088d13	1082	* Padding checks in cipher layer are now constant-time
markrad	0:cdf462088d13	1083	* Value comparisons in SSL layer are now constant-time
markrad	0:cdf462088d13	1084	* Support for serialNumber, postalAddress and postalCode in X509 names
markrad	0:cdf462088d13	1085	* SSL Renegotiation was refactored
markrad	0:cdf462088d13	1086
markrad	0:cdf462088d13	1087	Bugfix
markrad	0:cdf462088d13	1088	* More stringent checks in cipher layer
markrad	0:cdf462088d13	1089	* Server does not send out extensions not advertised by client
markrad	0:cdf462088d13	1090	* Prevent possible alignment warnings on casting from char * to 'aligned *'
markrad	0:cdf462088d13	1091	* Misc fixes and additions to dependency checks
markrad	0:cdf462088d13	1092	* Const correctness
markrad	0:cdf462088d13	1093	* cert_write with selfsign should use issuer_name as subject_name
markrad	0:cdf462088d13	1094	* Fix ECDSA corner case: missing reduction mod N (found by DualTachyon)
markrad	0:cdf462088d13	1095	* Defines to handle UEFI environment under MSVC
markrad	0:cdf462088d13	1096	* Server-side initiated renegotiations send HelloRequest
markrad	0:cdf462088d13	1097
markrad	0:cdf462088d13	1098	= PolarSSL 1.3.1 released on 2013-10-15
markrad	0:cdf462088d13	1099	Features
markrad	0:cdf462088d13	1100	* Support for Brainpool curves and TLS ciphersuites (RFC 7027)
markrad	0:cdf462088d13	1101	* Support for ECDHE-PSK key-exchange and ciphersuites
markrad	0:cdf462088d13	1102	* Support for RSA-PSK key-exchange and ciphersuites
markrad	0:cdf462088d13	1103
markrad	0:cdf462088d13	1104	Changes
markrad	0:cdf462088d13	1105	* RSA blinding locks for a smaller amount of time
markrad	0:cdf462088d13	1106	* TLS compression only allocates working buffer once
markrad	0:cdf462088d13	1107	* Introduced POLARSSL_HAVE_READDIR_R for systems without it
markrad	0:cdf462088d13	1108	* config.h is more script-friendly
markrad	0:cdf462088d13	1109
markrad	0:cdf462088d13	1110	Bugfix
markrad	0:cdf462088d13	1111	* Missing MSVC defines added
markrad	0:cdf462088d13	1112	* Compile errors with POLARSSL_RSA_NO_CRT
markrad	0:cdf462088d13	1113	* Header files with 'polarssl/'
markrad	0:cdf462088d13	1114	* Const correctness
markrad	0:cdf462088d13	1115	* Possible naming collision in dhm_context
markrad	0:cdf462088d13	1116	* Better support for MSVC
markrad	0:cdf462088d13	1117	* threading_set_alt() name
markrad	0:cdf462088d13	1118	* Added missing x509write_crt_set_version()
markrad	0:cdf462088d13	1119
markrad	0:cdf462088d13	1120	= PolarSSL 1.3.0 released on 2013-10-01
markrad	0:cdf462088d13	1121	Features
markrad	0:cdf462088d13	1122	* Elliptic Curve Cryptography module added
markrad	0:cdf462088d13	1123	* Elliptic Curve Diffie Hellman module added
markrad	0:cdf462088d13	1124	* Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS
markrad	0:cdf462088d13	1125	(ECDHE-based ciphersuites)
markrad	0:cdf462088d13	1126	* Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS
markrad	0:cdf462088d13	1127	(ECDSA-based ciphersuites)
markrad	0:cdf462088d13	1128	* Ability to specify allowed ciphersuites based on the protocol version.
markrad	0:cdf462088d13	1129	* PSK and DHE-PSK based ciphersuites added
markrad	0:cdf462088d13	1130	* Memory allocation abstraction layer added
markrad	0:cdf462088d13	1131	* Buffer-based memory allocator added (no malloc() / free() / HEAP usage)
markrad	0:cdf462088d13	1132	* Threading abstraction layer added (dummy / pthread / alternate)
markrad	0:cdf462088d13	1133	* Public Key abstraction layer added
markrad	0:cdf462088d13	1134	* Parsing Elliptic Curve keys
markrad	0:cdf462088d13	1135	* Parsing Elliptic Curve certificates
markrad	0:cdf462088d13	1136	* Support for max_fragment_length extension (RFC 6066)
markrad	0:cdf462088d13	1137	* Support for truncated_hmac extension (RFC 6066)
markrad	0:cdf462088d13	1138	* Support for zeros-and-length (ANSI X.923) padding, one-and-zeros
markrad	0:cdf462088d13	1139	(ISO/IEC 7816-4) padding and zero padding in the cipher layer
markrad	0:cdf462088d13	1140	* Support for session tickets (RFC 5077)
markrad	0:cdf462088d13	1141	* Certificate Request (CSR) generation with extensions (key_usage,
markrad	0:cdf462088d13	1142	ns_cert_type)
markrad	0:cdf462088d13	1143	* X509 Certificate writing with extensions (basic_constraints,
markrad	0:cdf462088d13	1144	issuer_key_identifier, etc)
markrad	0:cdf462088d13	1145	* Optional blinding for RSA, DHM and EC
markrad	0:cdf462088d13	1146	* Support for multiple active certificate / key pairs in SSL servers for
markrad	0:cdf462088d13	1147	the same host (Not to be confused with SNI!)
markrad	0:cdf462088d13	1148
markrad	0:cdf462088d13	1149	Changes
markrad	0:cdf462088d13	1150	* Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2
markrad	0:cdf462088d13	1151	individually
markrad	0:cdf462088d13	1152	* Introduced separate SSL Ciphersuites module that is based on
markrad	0:cdf462088d13	1153	Cipher and MD information
markrad	0:cdf462088d13	1154	* Internals for SSL module adapted to have separate IV pointer that is
markrad	0:cdf462088d13	1155	dynamically set (Better support for hardware acceleration)
markrad	0:cdf462088d13	1156	* Moved all OID functionality to a separate module. RSA function
markrad	0:cdf462088d13	1157	prototypes for the RSA sign and verify functions changed as a result
markrad	0:cdf462088d13	1158	* Split up the GCM module into a starts/update/finish cycle
markrad	0:cdf462088d13	1159	* Client and server now filter sent and accepted ciphersuites on minimum
markrad	0:cdf462088d13	1160	and maximum protocol version
markrad	0:cdf462088d13	1161	* Ability to disable server_name extension (RFC 6066)
markrad	0:cdf462088d13	1162	* Renamed error_strerror() to the less conflicting polarssl_strerror()
markrad	0:cdf462088d13	1163	(Ability to keep old as well with POLARSSL_ERROR_STRERROR_BC)
markrad	0:cdf462088d13	1164	* SHA2 renamed to SHA256, SHA4 renamed to SHA512 and functions accordingly
markrad	0:cdf462088d13	1165	* All RSA operations require a random generator for blinding purposes
markrad	0:cdf462088d13	1166	* X509 core refactored
markrad	0:cdf462088d13	1167	* x509_crt_verify() now case insensitive for cn (RFC 6125 6.4)
markrad	0:cdf462088d13	1168	* Also compiles / runs without time-based functions (!POLARSSL_HAVE_TIME)
markrad	0:cdf462088d13	1169	* Support faulty X509 v1 certificates with extensions
markrad	0:cdf462088d13	1170	(POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3)
markrad	0:cdf462088d13	1171
markrad	0:cdf462088d13	1172	Bugfix
markrad	0:cdf462088d13	1173	* Fixed parse error in ssl_parse_certificate_request()
markrad	0:cdf462088d13	1174	* zlib compression/decompression skipped on empty blocks
markrad	0:cdf462088d13	1175	* Support for AIX header locations in net.c module
markrad	0:cdf462088d13	1176	* Fixed file descriptor leaks
markrad	0:cdf462088d13	1177
markrad	0:cdf462088d13	1178	Security
markrad	0:cdf462088d13	1179	* RSA blinding on CRT operations to counter timing attacks
markrad	0:cdf462088d13	1180	(found by Cyril Arnaud and Pierre-Alain Fouque)
markrad	0:cdf462088d13	1181
markrad	0:cdf462088d13	1182
markrad	0:cdf462088d13	1183	= Version 1.2.14 released 2015-05-??
markrad	0:cdf462088d13	1184
markrad	0:cdf462088d13	1185	Security
markrad	0:cdf462088d13	1186	* Fix potential invalid memory read in the server, that allows a client to
markrad	0:cdf462088d13	1187	crash it remotely (found by Caj Larsson).
markrad	0:cdf462088d13	1188	* Fix potential invalid memory read in certificate parsing, that allows a
markrad	0:cdf462088d13	1189	client to crash the server remotely if client authentication is enabled
markrad	0:cdf462088d13	1190	(found using Codenomicon Defensics).
markrad	0:cdf462088d13	1191	* Add countermeasure against "Lucky 13 strikes back" cache-based attack,
markrad	0:cdf462088d13	1192	https://dl.acm.org/citation.cfm?id=2714625
markrad	0:cdf462088d13	1193
markrad	0:cdf462088d13	1194	Bugfix
markrad	0:cdf462088d13	1195	* Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos).
markrad	0:cdf462088d13	1196	* Fix hardclock() (only used in the benchmarking program) with some
markrad	0:cdf462088d13	1197	versions of mingw64 (found by kxjhlele).
markrad	0:cdf462088d13	1198	* Fix warnings from mingw64 in timing.c (found by kxjklele).
markrad	0:cdf462088d13	1199	* Fix potential unintended sign extension in asn1_get_len() on 64-bit
markrad	0:cdf462088d13	1200	platforms (found with Coverity Scan).
markrad	0:cdf462088d13	1201
markrad	0:cdf462088d13	1202	= Version 1.2.13 released 2015-02-16
markrad	0:cdf462088d13	1203	Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting
markrad	0:cdf462088d13	1204	this will be made in the 1.2 branch at this point.
markrad	0:cdf462088d13	1205
markrad	0:cdf462088d13	1206	Security
markrad	0:cdf462088d13	1207	* Fix remotely-triggerable uninitialised pointer dereference caused by
markrad	0:cdf462088d13	1208	crafted X.509 certificate (TLS server is not affected if it doesn't ask
markrad	0:cdf462088d13	1209	for a client certificate) (found using Codenomicon Defensics).
markrad	0:cdf462088d13	1210	* Fix remotely-triggerable memory leak caused by crafted X.509 certificates
markrad	0:cdf462088d13	1211	(TLS server is not affected if it doesn't ask for a client certificate)
markrad	0:cdf462088d13	1212	(found using Codenomicon Defensics).
markrad	0:cdf462088d13	1213	* Fix potential stack overflow while parsing crafted X.509 certificates
markrad	0:cdf462088d13	1214	(TLS server is not affected if it doesn't ask for a client certificate)
markrad	0:cdf462088d13	1215	found using Codenomicon Defensics).
markrad	0:cdf462088d13	1216	* Fix buffer overread of size 1 when parsing crafted X.509 certificates
markrad	0:cdf462088d13	1217	(TLS server is not affected if it doesn't ask for a client certificate).
markrad	0:cdf462088d13	1218
markrad	0:cdf462088d13	1219	Bugfix
markrad	0:cdf462088d13	1220	* Fix potential undefined behaviour in Camellia.
markrad	0:cdf462088d13	1221	* Fix memory leaks in PKCS#5 and PKCS#12.
markrad	0:cdf462088d13	1222	* Stack buffer overflow if ctr_drbg_update() is called with too large
markrad	0:cdf462088d13	1223	add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
markrad	0:cdf462088d13	1224	* Fix bug in MPI/bignum on s390/s390x (reported by Dan Horák) (introduced
markrad	0:cdf462088d13	1225	in 1.2.12).
markrad	0:cdf462088d13	1226	* Fix unchecked return code in x509_crt_parse_path() on Windows (found by
markrad	0:cdf462088d13	1227	Peter Vaskovic).
markrad	0:cdf462088d13	1228	* Fix assembly selection for MIPS64 (thanks to James Cowgill).
markrad	0:cdf462088d13	1229	* ssl_get_verify_result() now works even if the handshake was aborted due
markrad	0:cdf462088d13	1230	to a failed verification (found by Fredrik Axelsson).
markrad	0:cdf462088d13	1231	* Skip writing and parsing signature_algorithm extension if none of the
markrad	0:cdf462088d13	1232	key exchanges enabled needs certificates. This fixes a possible interop
markrad	0:cdf462088d13	1233	issue with some servers when a zero-length extension was sent. (Reported
markrad	0:cdf462088d13	1234	by Peter Dettman.)
markrad	0:cdf462088d13	1235	* On a 0-length input, base64_encode() did not correctly set output length
markrad	0:cdf462088d13	1236	(found by Hendrik van den Boogaard).
markrad	0:cdf462088d13	1237
markrad	0:cdf462088d13	1238	Changes
markrad	0:cdf462088d13	1239	* Blind RSA private operations even when POLARSSL_RSA_NO_CRT is defined.
markrad	0:cdf462088d13	1240	* Forbid repeated extensions in X.509 certificates.
markrad	0:cdf462088d13	1241	* Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the
markrad	0:cdf462088d13	1242	length of an X.509 verification chain (default = 8).
markrad	0:cdf462088d13	1243	= Version 1.2.12 released 2014-10-24
markrad	0:cdf462088d13	1244
markrad	0:cdf462088d13	1245	Security
markrad	0:cdf462088d13	1246	* Remotely-triggerable memory leak when parsing some X.509 certificates
markrad	0:cdf462088d13	1247	(server is not affected if it doesn't ask for a client certificate).
markrad	0:cdf462088d13	1248	(Found using Codenomicon Defensics.)
markrad	0:cdf462088d13	1249
markrad	0:cdf462088d13	1250	Bugfix
markrad	0:cdf462088d13	1251	* Fix potential bad read in parsing ServerHello (found by Adrien
markrad	0:cdf462088d13	1252	Vialletelle).
markrad	0:cdf462088d13	1253	* ssl_close_notify() could send more than one message in some circumstances
markrad	0:cdf462088d13	1254	with non-blocking I/O.
markrad	0:cdf462088d13	1255	* x509_crt_parse() did not increase total_failed on PEM error
markrad	0:cdf462088d13	1256	* Fix compiler warnings on iOS (found by Sander Niemeijer).
markrad	0:cdf462088d13	1257	* Don't print uninitialised buffer in ssl_mail_client (found by Marc Abel).
markrad	0:cdf462088d13	1258	* Fix net_accept() regarding non-blocking sockets (found by Luca Pesce).
markrad	0:cdf462088d13	1259	* ssl_read() could return non-application data records on server while
markrad	0:cdf462088d13	1260	renegotation was pending, and on client when a HelloRequest was received.
markrad	0:cdf462088d13	1261	* Fix warnings from Clang's scan-build (contributed by Alfred Klomp).
markrad	0:cdf462088d13	1262
markrad	0:cdf462088d13	1263	Changes
markrad	0:cdf462088d13	1264	* X.509 certificates with more than one AttributeTypeAndValue per
markrad	0:cdf462088d13	1265	RelativeDistinguishedName are not accepted any more.
markrad	0:cdf462088d13	1266	* ssl_read() now returns POLARSSL_ERR_NET_WANT_READ rather than
markrad	0:cdf462088d13	1267	POLARSSL_ERR_SSL_UNEXPECTED_MESSAGE on harmless alerts.
markrad	0:cdf462088d13	1268	* Accept spaces at end of line or end of buffer in base64_decode().
markrad	0:cdf462088d13	1269
markrad	0:cdf462088d13	1270	= Version 1.2.11 released 2014-07-11
markrad	0:cdf462088d13	1271	Features
markrad	0:cdf462088d13	1272	* Entropy module now supports seed writing and reading
markrad	0:cdf462088d13	1273
markrad	0:cdf462088d13	1274	Changes
markrad	0:cdf462088d13	1275	* Introduced POLARSSL_HAVE_READDIR_R for systems without it
markrad	0:cdf462088d13	1276	* Improvements to the CMake build system, contributed by Julian Ospald.
markrad	0:cdf462088d13	1277	* Work around a bug of the version of Clang shipped by Apple with Mavericks
markrad	0:cdf462088d13	1278	that prevented bignum.c from compiling. (Reported by Rafael Baptista.)
markrad	0:cdf462088d13	1279	* Improvements to tests/Makefile, contributed by Oden Eriksson.
markrad	0:cdf462088d13	1280	* Use UTC time to check certificate validity.
markrad	0:cdf462088d13	1281	* Reject certificates with times not in UTC, per RFC 5280.
markrad	0:cdf462088d13	1282	* Migrate zeroizing of data to polarssl_zeroize() instead of memset()
markrad	0:cdf462088d13	1283	against unwanted compiler optimizations
markrad	0:cdf462088d13	1284
markrad	0:cdf462088d13	1285	Security
markrad	0:cdf462088d13	1286	* Forbid change of server certificate during renegotiation to prevent
markrad	0:cdf462088d13	1287	"triple handshake" attack when authentication mode is optional (the
markrad	0:cdf462088d13	1288	attack was already impossible when authentication is required).
markrad	0:cdf462088d13	1289	* Check notBefore timestamp of certificates and CRLs from the future.
markrad	0:cdf462088d13	1290	* Forbid sequence number wrapping
markrad	0:cdf462088d13	1291	* Prevent potential NULL pointer dereference in ssl_read_record() (found by
markrad	0:cdf462088d13	1292	TrustInSoft)
markrad	0:cdf462088d13	1293	* Fix length checking for AEAD ciphersuites (found by Codenomicon).
markrad	0:cdf462088d13	1294	It was possible to crash the server (and client) using crafted messages
markrad	0:cdf462088d13	1295	when a GCM suite was chosen.
markrad	0:cdf462088d13	1296
markrad	0:cdf462088d13	1297	Bugfix
markrad	0:cdf462088d13	1298	* Fixed X.509 hostname comparison (with non-regular characters)
markrad	0:cdf462088d13	1299	* SSL now gracefully handles missing RNG
markrad	0:cdf462088d13	1300	* crypt_and_hash app checks MAC before final decryption
markrad	0:cdf462088d13	1301	* Fixed x509_crt_parse_path() bug on Windows platforms
markrad	0:cdf462088d13	1302	* Added missing MPI_CHK() around some statements in mpi_div_mpi() (found by
markrad	0:cdf462088d13	1303	TrustInSoft)
markrad	0:cdf462088d13	1304	* Fixed potential overflow in certificate size verification in
markrad	0:cdf462088d13	1305	ssl_write_certificate() (found by TrustInSoft)
markrad	0:cdf462088d13	1306	* Fix ASM format in bn_mul.h
markrad	0:cdf462088d13	1307	* Potential memory leak in bignum_selftest()
markrad	0:cdf462088d13	1308	* Replaced expired test certificate
markrad	0:cdf462088d13	1309	* ssl_mail_client now terminates lines with CRLF, instead of LF
markrad	0:cdf462088d13	1310	* Fix bug in RSA PKCS#1 v1.5 "reversed" operations
markrad	0:cdf462088d13	1311	* Fixed testing with out-of-source builds using cmake
markrad	0:cdf462088d13	1312	* Fixed version-major intolerance in server
markrad	0:cdf462088d13	1313	* Fixed CMake symlinking on out-of-source builds
markrad	0:cdf462088d13	1314	* Bignum's MIPS-32 assembly was used on MIPS-64, causing chaos. (Found by
markrad	0:cdf462088d13	1315	Alex Wilson.)
markrad	0:cdf462088d13	1316	* ssl_init() was leaving a dirty pointer in ssl_context if malloc of
markrad	0:cdf462088d13	1317	out_ctr failed
markrad	0:cdf462088d13	1318	* ssl_handshake_init() was leaving dirty pointers in subcontexts if malloc
markrad	0:cdf462088d13	1319	of one of them failed
markrad	0:cdf462088d13	1320	* x509_get_current_time() uses localtime_r() to prevent thread issues
markrad	0:cdf462088d13	1321	* Some example server programs were not sending the close_notify alert.
markrad	0:cdf462088d13	1322	* Potential memory leak in mpi_exp_mod() when error occurs during
markrad	0:cdf462088d13	1323	calculation of RR.
markrad	0:cdf462088d13	1324	* Improve interoperability by not writing extension length in ClientHello
markrad	0:cdf462088d13	1325	when no extensions are present (found by Matthew Page)
markrad	0:cdf462088d13	1326	* rsa_check_pubkey() now allows an E up to N
markrad	0:cdf462088d13	1327	* On OpenBSD, use arc4random_buf() instead of rand() to prevent warnings
markrad	0:cdf462088d13	1328	* mpi_fill_random() was creating numbers larger than requested on
markrad	0:cdf462088d13	1329	big-endian platform when size was not an integer number of limbs
markrad	0:cdf462088d13	1330	* Fix detection of DragonflyBSD in net.c (found by Markus Pfeiffer)
markrad	0:cdf462088d13	1331	* Stricter check on SSL ClientHello internal sizes compared to actual packet
markrad	0:cdf462088d13	1332	size (found by TrustInSoft)
markrad	0:cdf462088d13	1333	* Fix preprocessor checks for bn_mul PPC asm (found by Barry K. Nathan).
markrad	0:cdf462088d13	1334	* Use \n\t rather than semicolons for bn_mul asm, since some assemblers
markrad	0:cdf462088d13	1335	interpret semicolons as comment delimiters (found by Barry K. Nathan).
markrad	0:cdf462088d13	1336	* Disable broken Sparc64 bn_mul assembly (found by Florian Obser).
markrad	0:cdf462088d13	1337	* Fix base64_decode() to return and check length correctly (in case of
markrad	0:cdf462088d13	1338	tight buffers)
markrad	0:cdf462088d13	1339
markrad	0:cdf462088d13	1340	= Version 1.2.10 released 2013-10-07
markrad	0:cdf462088d13	1341	Changes
markrad	0:cdf462088d13	1342	* Changed RSA blinding to a slower but thread-safe version
markrad	0:cdf462088d13	1343
markrad	0:cdf462088d13	1344	Bugfix
markrad	0:cdf462088d13	1345	* Fixed memory leak in RSA as a result of introduction of blinding
markrad	0:cdf462088d13	1346	* Fixed ssl_pkcs11_decrypt() prototype
markrad	0:cdf462088d13	1347	* Fixed MSVC project files
markrad	0:cdf462088d13	1348
markrad	0:cdf462088d13	1349	= Version 1.2.9 released 2013-10-01
markrad	0:cdf462088d13	1350	Changes
markrad	0:cdf462088d13	1351	* x509_verify() now case insensitive for cn (RFC 6125 6.4)
markrad	0:cdf462088d13	1352
markrad	0:cdf462088d13	1353	Bugfix
markrad	0:cdf462088d13	1354	* Fixed potential memory leak when failing to resume a session
markrad	0:cdf462088d13	1355	* Fixed potential file descriptor leaks (found by Remi Gacogne)
markrad	0:cdf462088d13	1356	* Minor fixes
markrad	0:cdf462088d13	1357
markrad	0:cdf462088d13	1358	Security
markrad	0:cdf462088d13	1359	* Fixed potential heap buffer overflow on large hostname setting
markrad	0:cdf462088d13	1360	* Fixed potential negative value misinterpretation in load_file()
markrad	0:cdf462088d13	1361	* RSA blinding on CRT operations to counter timing attacks
markrad	0:cdf462088d13	1362	(found by Cyril Arnaud and Pierre-Alain Fouque)
markrad	0:cdf462088d13	1363
markrad	0:cdf462088d13	1364	= Version 1.2.8 released 2013-06-19
markrad	0:cdf462088d13	1365	Features
markrad	0:cdf462088d13	1366	* Parsing of PKCS#8 encrypted private key files
markrad	0:cdf462088d13	1367	* PKCS#12 PBE and derivation functions
markrad	0:cdf462088d13	1368	* Centralized module option values in config.h to allow user-defined
markrad	0:cdf462088d13	1369	settings without editing header files by using POLARSSL_CONFIG_OPTIONS
markrad	0:cdf462088d13	1370
markrad	0:cdf462088d13	1371	Changes
markrad	0:cdf462088d13	1372	* HAVEGE random generator disabled by default
markrad	0:cdf462088d13	1373	* Internally split up x509parse_key() into a (PEM) handler function
markrad	0:cdf462088d13	1374	and specific DER parser functions for the PKCS#1 and unencrypted
markrad	0:cdf462088d13	1375	PKCS#8 private key formats
markrad	0:cdf462088d13	1376	* Added mechanism to provide alternative implementations for all
markrad	0:cdf462088d13	1377	symmetric cipher and hash algorithms (e.g. POLARSSL_AES_ALT in
markrad	0:cdf462088d13	1378	config.h)
markrad	0:cdf462088d13	1379	* PKCS#5 module added. Moved PBKDF2 functionality inside and deprecated
markrad	0:cdf462088d13	1380	old PBKDF2 module
markrad	0:cdf462088d13	1381
markrad	0:cdf462088d13	1382	Bugfix
markrad	0:cdf462088d13	1383	* Secure renegotiation extension should only be sent in case client
markrad	0:cdf462088d13	1384	supports secure renegotiation
markrad	0:cdf462088d13	1385	* Fixed offset for cert_type list in ssl_parse_certificate_request()
markrad	0:cdf462088d13	1386	* Fixed const correctness issues that have no impact on the ABI
markrad	0:cdf462088d13	1387	* x509parse_crt() now better handles PEM error situations
markrad	0:cdf462088d13	1388	* ssl_parse_certificate() now calls x509parse_crt_der() directly
markrad	0:cdf462088d13	1389	instead of the x509parse_crt() wrapper that can also parse PEM
markrad	0:cdf462088d13	1390	certificates
markrad	0:cdf462088d13	1391	* x509parse_crtpath() is now reentrant and uses more portable stat()
markrad	0:cdf462088d13	1392	* Fixed bignum.c and bn_mul.h to support Thumb2 and LLVM compiler
markrad	0:cdf462088d13	1393	* Fixed values for 2-key Triple DES in cipher layer
markrad	0:cdf462088d13	1394	* ssl_write_certificate_request() can handle empty ca_chain
markrad	0:cdf462088d13	1395
markrad	0:cdf462088d13	1396	Security
markrad	0:cdf462088d13	1397	* A possible DoS during the SSL Handshake, due to faulty parsing of
markrad	0:cdf462088d13	1398	PEM-encoded certificates has been fixed (found by Jack Lloyd)
markrad	0:cdf462088d13	1399
markrad	0:cdf462088d13	1400	= Version 1.2.7 released 2013-04-13
markrad	0:cdf462088d13	1401	Features
markrad	0:cdf462088d13	1402	* Ability to specify allowed ciphersuites based on the protocol version.
markrad	0:cdf462088d13	1403
markrad	0:cdf462088d13	1404	Changes
markrad	0:cdf462088d13	1405	* Default Blowfish keysize is now 128-bits
markrad	0:cdf462088d13	1406	* Test suites made smaller to accommodate Raspberry Pi
markrad	0:cdf462088d13	1407
markrad	0:cdf462088d13	1408	Bugfix
markrad	0:cdf462088d13	1409	* Fix for MPI assembly for ARM
markrad	0:cdf462088d13	1410	* GCM adapted to support sizes > 2^29
markrad	0:cdf462088d13	1411
markrad	0:cdf462088d13	1412	= Version 1.2.6 released 2013-03-11
markrad	0:cdf462088d13	1413	Bugfix
markrad	0:cdf462088d13	1414	* Fixed memory leak in ssl_free() and ssl_reset() for active session
markrad	0:cdf462088d13	1415	* Corrected GCM counter incrementation to use only 32-bits instead of
markrad	0:cdf462088d13	1416	128-bits (found by Yawning Angel)
markrad	0:cdf462088d13	1417	* Fixes for 64-bit compilation with MS Visual Studio
markrad	0:cdf462088d13	1418	* Fixed net_bind() for specified IP addresses on little endian systems
markrad	0:cdf462088d13	1419	* Fixed assembly code for ARM (Thumb and regular) for some compilers
markrad	0:cdf462088d13	1420
markrad	0:cdf462088d13	1421	Changes
markrad	0:cdf462088d13	1422	* Internally split up rsa_pkcs1_encrypt(), rsa_pkcs1_decrypt(),
markrad	0:cdf462088d13	1423	rsa_pkcs1_sign() and rsa_pkcs1_verify() to separate PKCS#1 v1.5 and
markrad	0:cdf462088d13	1424	PKCS#1 v2.1 functions
markrad	0:cdf462088d13	1425	* Added support for custom labels when using rsa_rsaes_oaep_encrypt()
markrad	0:cdf462088d13	1426	or rsa_rsaes_oaep_decrypt()
markrad	0:cdf462088d13	1427	* Re-added handling for SSLv2 Client Hello when the define
markrad	0:cdf462088d13	1428	POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is set
markrad	0:cdf462088d13	1429	* The SSL session cache module (ssl_cache) now also retains peer_cert
markrad	0:cdf462088d13	1430	information (not the entire chain)
markrad	0:cdf462088d13	1431
markrad	0:cdf462088d13	1432	Security
markrad	0:cdf462088d13	1433	* Removed further timing differences during SSL message decryption in
markrad	0:cdf462088d13	1434	ssl_decrypt_buf()
markrad	0:cdf462088d13	1435	* Removed timing differences due to bad padding from
markrad	0:cdf462088d13	1436	rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
markrad	0:cdf462088d13	1437	operations
markrad	0:cdf462088d13	1438
markrad	0:cdf462088d13	1439	= Version 1.2.5 released 2013-02-02
markrad	0:cdf462088d13	1440	Changes
markrad	0:cdf462088d13	1441	* Allow enabling of dummy error_strerror() to support some use-cases
markrad	0:cdf462088d13	1442	* Debug messages about padding errors during SSL message decryption are
markrad	0:cdf462088d13	1443	disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
markrad	0:cdf462088d13	1444	* Sending of security-relevant alert messages that do not break
markrad	0:cdf462088d13	1445	interoperability can be switched on/off with the flag
markrad	0:cdf462088d13	1446	POLARSSL_SSL_ALL_ALERT_MESSAGES
markrad	0:cdf462088d13	1447
markrad	0:cdf462088d13	1448	Security
markrad	0:cdf462088d13	1449	* Removed timing differences during SSL message decryption in
markrad	0:cdf462088d13	1450	ssl_decrypt_buf() due to badly formatted padding
markrad	0:cdf462088d13	1451
markrad	0:cdf462088d13	1452	= Version 1.2.4 released 2013-01-25
markrad	0:cdf462088d13	1453	Changes
markrad	0:cdf462088d13	1454	* More advanced SSL ciphersuite representation and moved to more dynamic
markrad	0:cdf462088d13	1455	SSL core
markrad	0:cdf462088d13	1456	* Added ssl_handshake_step() to allow single stepping the handshake process
markrad	0:cdf462088d13	1457
markrad	0:cdf462088d13	1458	Bugfix
markrad	0:cdf462088d13	1459	* Memory leak when using RSA_PKCS_V21 operations fixed
markrad	0:cdf462088d13	1460	* Handle future version properly in ssl_write_certificate_request()
markrad	0:cdf462088d13	1461	* Correctly handle CertificateRequest message in client for <= TLS 1.1
markrad	0:cdf462088d13	1462	without DN list
markrad	0:cdf462088d13	1463
markrad	0:cdf462088d13	1464	= Version 1.2.3 released 2012-11-26
markrad	0:cdf462088d13	1465	Bugfix
markrad	0:cdf462088d13	1466	* Server not always sending correct CertificateRequest message
markrad	0:cdf462088d13	1467
markrad	0:cdf462088d13	1468	= Version 1.2.2 released 2012-11-24
markrad	0:cdf462088d13	1469	Changes
markrad	0:cdf462088d13	1470	* Added p_hw_data to ssl_context for context specific hardware acceleration
markrad	0:cdf462088d13	1471	data
markrad	0:cdf462088d13	1472	* During verify trust-CA is only checked for expiration and CRL presence
markrad	0:cdf462088d13	1473
markrad	0:cdf462088d13	1474	Bugfixes
markrad	0:cdf462088d13	1475	* Fixed client authentication compatibility
markrad	0:cdf462088d13	1476	* Fixed dependency on POLARSSL_SHA4_C in SSL modules
markrad	0:cdf462088d13	1477
markrad	0:cdf462088d13	1478	= Version 1.2.1 released 2012-11-20
markrad	0:cdf462088d13	1479	Changes
markrad	0:cdf462088d13	1480	* Depth that the certificate verify callback receives is now numbered
markrad	0:cdf462088d13	1481	bottom-up (Peer cert depth is 0)
markrad	0:cdf462088d13	1482
markrad	0:cdf462088d13	1483	Bugfixes
markrad	0:cdf462088d13	1484	* Fixes for MSVC6
markrad	0:cdf462088d13	1485	* Moved mpi_inv_mod() outside POLARSSL_GENPRIME
markrad	0:cdf462088d13	1486	* Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
markrad	0:cdf462088d13	1487	Pégourié-Gonnard)
markrad	0:cdf462088d13	1488	* Fixed possible segfault in mpi_shift_r() (found by Manuel
markrad	0:cdf462088d13	1489	Pégourié-Gonnard)
markrad	0:cdf462088d13	1490	* Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
markrad	0:cdf462088d13	1491
markrad	0:cdf462088d13	1492	= Version 1.2.0 released 2012-10-31
markrad	0:cdf462088d13	1493	Features
markrad	0:cdf462088d13	1494	* Added support for NULL cipher (POLARSSL_CIPHER_NULL_CIPHER) and weak
markrad	0:cdf462088d13	1495	ciphersuites (POLARSSL_ENABLE_WEAK_CIPHERSUITES). They are disabled by
markrad	0:cdf462088d13	1496	default!
markrad	0:cdf462088d13	1497	* Added support for wildcard certificates
markrad	0:cdf462088d13	1498	* Added support for multi-domain certificates through the X509 Subject
markrad	0:cdf462088d13	1499	Alternative Name extension
markrad	0:cdf462088d13	1500	* Added preliminary ASN.1 buffer writing support
markrad	0:cdf462088d13	1501	* Added preliminary X509 Certificate Request writing support
markrad	0:cdf462088d13	1502	* Added key_app_writer example application
markrad	0:cdf462088d13	1503	* Added cert_req example application
markrad	0:cdf462088d13	1504	* Added base Galois Counter Mode (GCM) for AES
markrad	0:cdf462088d13	1505	* Added TLS 1.2 support (RFC 5246)
markrad	0:cdf462088d13	1506	* Added GCM suites to TLS 1.2 (RFC 5288)
markrad	0:cdf462088d13	1507	* Added commandline error code convertor (util/strerror)
markrad	0:cdf462088d13	1508	* Added support for Hardware Acceleration hooking in SSL/TLS
markrad	0:cdf462088d13	1509	* Added OpenSSL / PolarSSL compatibility script (tests/compat.sh) and
markrad	0:cdf462088d13	1510	example application (programs/ssl/o_p_test) (requires OpenSSL)
markrad	0:cdf462088d13	1511	* Added X509 CA Path support
markrad	0:cdf462088d13	1512	* Added Thumb assembly optimizations
markrad	0:cdf462088d13	1513	* Added DEFLATE compression support as per RFC3749 (requires zlib)
markrad	0:cdf462088d13	1514	* Added blowfish algorithm (Generic and cipher layer)
markrad	0:cdf462088d13	1515	* Added PKCS#5 PBKDF2 key derivation function
markrad	0:cdf462088d13	1516	* Added Secure Renegotiation (RFC 5746)
markrad	0:cdf462088d13	1517	* Added predefined DHM groups from RFC 5114
markrad	0:cdf462088d13	1518	* Added simple SSL session cache implementation
markrad	0:cdf462088d13	1519	* Added ServerName extension parsing (SNI) at server side
markrad	0:cdf462088d13	1520	* Added option to add minimum accepted SSL/TLS protocol version
markrad	0:cdf462088d13	1521
markrad	0:cdf462088d13	1522	Changes
markrad	0:cdf462088d13	1523	* Removed redundant POLARSSL_DEBUG_MSG define
markrad	0:cdf462088d13	1524	* AES code only check for Padlock once
markrad	0:cdf462088d13	1525	* Fixed const-correctness mpi_get_bit()
markrad	0:cdf462088d13	1526	* Documentation for mpi_lsb() and mpi_msb()
markrad	0:cdf462088d13	1527	* Moved out_msg to out_hdr + 32 to support hardware acceleration
markrad	0:cdf462088d13	1528	* Changed certificate verify behaviour to comply with RFC 6125 section 6.3
markrad	0:cdf462088d13	1529	to not match CN if subjectAltName extension is present (Closes ticket #56)
markrad	0:cdf462088d13	1530	* Cipher layer cipher_mode_t POLARSSL_MODE_CFB128 is renamed to
markrad	0:cdf462088d13	1531	POLARSSL_MODE_CFB, to also handle different block size CFB modes.
markrad	0:cdf462088d13	1532	* Removed handling for SSLv2 Client Hello (as per RFC 5246 recommendation)
markrad	0:cdf462088d13	1533	* Revamped session resumption handling
markrad	0:cdf462088d13	1534	* Generalized external private key implementation handling (like PKCS#11)
markrad	0:cdf462088d13	1535	in SSL/TLS
markrad	0:cdf462088d13	1536	* Revamped x509_verify() and the SSL f_vrfy callback implementations
markrad	0:cdf462088d13	1537	* Moved from unsigned long to fixed width uint32_t types throughout code
markrad	0:cdf462088d13	1538	* Renamed ciphersuites naming scheme to IANA reserved names
markrad	0:cdf462088d13	1539
markrad	0:cdf462088d13	1540	Bugfix
markrad	0:cdf462088d13	1541	* Fixed handling error in mpi_cmp_mpi() on longer B values (found by
markrad	0:cdf462088d13	1542	Hui Dong)
markrad	0:cdf462088d13	1543	* Fixed potential heap corruption in x509_name allocation
markrad	0:cdf462088d13	1544	* Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
markrad	0:cdf462088d13	1545	* mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
markrad	0:cdf462088d13	1546	#52)
markrad	0:cdf462088d13	1547	* Handle encryption with private key and decryption with public key as per
markrad	0:cdf462088d13	1548	RFC 2313
markrad	0:cdf462088d13	1549	* Handle empty certificate subject names
markrad	0:cdf462088d13	1550	* Prevent reading over buffer boundaries on X509 certificate parsing
markrad	0:cdf462088d13	1551	* mpi_add_abs() now correctly handles adding short numbers to long numbers
markrad	0:cdf462088d13	1552	with carry rollover (found by Ruslan Yushchenko)
markrad	0:cdf462088d13	1553	* Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
markrad	0:cdf462088d13	1554	* Fixed MPI assembly for SPARC64 platform
markrad	0:cdf462088d13	1555
markrad	0:cdf462088d13	1556	Security
markrad	0:cdf462088d13	1557	* Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
markrad	0:cdf462088d13	1558	Vanderbeken)
markrad	0:cdf462088d13	1559
markrad	0:cdf462088d13	1560	= Version 1.1.8 released on 2013-10-01
markrad	0:cdf462088d13	1561	Bugfix
markrad	0:cdf462088d13	1562	* Fixed potential memory leak when failing to resume a session
markrad	0:cdf462088d13	1563	* Fixed potential file descriptor leaks
markrad	0:cdf462088d13	1564
markrad	0:cdf462088d13	1565	Security
markrad	0:cdf462088d13	1566	* Potential buffer-overflow for ssl_read_record() (independently found by
markrad	0:cdf462088d13	1567	both TrustInSoft and Paul Brodeur of Leviathan Security Group)
markrad	0:cdf462088d13	1568	* Potential negative value misinterpretation in load_file()
markrad	0:cdf462088d13	1569	* Potential heap buffer overflow on large hostname setting
markrad	0:cdf462088d13	1570
markrad	0:cdf462088d13	1571	= Version 1.1.7 released on 2013-06-19
markrad	0:cdf462088d13	1572	Changes
markrad	0:cdf462088d13	1573	* HAVEGE random generator disabled by default
markrad	0:cdf462088d13	1574
markrad	0:cdf462088d13	1575	Bugfix
markrad	0:cdf462088d13	1576	* x509parse_crt() now better handles PEM error situations
markrad	0:cdf462088d13	1577	* ssl_parse_certificate() now calls x509parse_crt_der() directly
markrad	0:cdf462088d13	1578	instead of the x509parse_crt() wrapper that can also parse PEM
markrad	0:cdf462088d13	1579	certificates
markrad	0:cdf462088d13	1580	* Fixed values for 2-key Triple DES in cipher layer
markrad	0:cdf462088d13	1581	* ssl_write_certificate_request() can handle empty ca_chain
markrad	0:cdf462088d13	1582
markrad	0:cdf462088d13	1583	Security
markrad	0:cdf462088d13	1584	* A possible DoS during the SSL Handshake, due to faulty parsing of
markrad	0:cdf462088d13	1585	PEM-encoded certificates has been fixed (found by Jack Lloyd)
markrad	0:cdf462088d13	1586
markrad	0:cdf462088d13	1587	= Version 1.1.6 released on 2013-03-11
markrad	0:cdf462088d13	1588	Bugfix
markrad	0:cdf462088d13	1589	* Fixed net_bind() for specified IP addresses on little endian systems
markrad	0:cdf462088d13	1590
markrad	0:cdf462088d13	1591	Changes
markrad	0:cdf462088d13	1592	* Allow enabling of dummy error_strerror() to support some use-cases
markrad	0:cdf462088d13	1593	* Debug messages about padding errors during SSL message decryption are
markrad	0:cdf462088d13	1594	disabled by default and can be enabled with POLARSSL_SSL_DEBUG_ALL
markrad	0:cdf462088d13	1595
markrad	0:cdf462088d13	1596	Security
markrad	0:cdf462088d13	1597	* Removed timing differences during SSL message decryption in
markrad	0:cdf462088d13	1598	ssl_decrypt_buf()
markrad	0:cdf462088d13	1599	* Removed timing differences due to bad padding from
markrad	0:cdf462088d13	1600	rsa_rsaes_pkcs1_v15_decrypt() and rsa_pkcs1_decrypt() for PKCS#1 v1.5
markrad	0:cdf462088d13	1601	operations
markrad	0:cdf462088d13	1602
markrad	0:cdf462088d13	1603	= Version 1.1.5 released on 2013-01-16
markrad	0:cdf462088d13	1604	Bugfix
markrad	0:cdf462088d13	1605	* Fixed MPI assembly for SPARC64 platform
markrad	0:cdf462088d13	1606	* Handle existence of OpenSSL Trust Extensions at end of X.509 DER blob
markrad	0:cdf462088d13	1607	* mpi_add_abs() now correctly handles adding short numbers to long numbers
markrad	0:cdf462088d13	1608	with carry rollover
markrad	0:cdf462088d13	1609	* Moved mpi_inv_mod() outside POLARSSL_GENPRIME
markrad	0:cdf462088d13	1610	* Prevent reading over buffer boundaries on X509 certificate parsing
markrad	0:cdf462088d13	1611	* mpi_exp_mod() now correctly handles negative base numbers (Closes ticket
markrad	0:cdf462088d13	1612	#52)
markrad	0:cdf462088d13	1613	* Fixed possible segfault in mpi_shift_r() (found by Manuel
markrad	0:cdf462088d13	1614	Pégourié-Gonnard)
markrad	0:cdf462088d13	1615	* Allow R and A to point to same mpi in mpi_div_mpi (found by Manuel
markrad	0:cdf462088d13	1616	Pégourié-Gonnard)
markrad	0:cdf462088d13	1617	* Added max length check for rsa_pkcs1_sign with PKCS#1 v2.1
markrad	0:cdf462088d13	1618	* Memory leak when using RSA_PKCS_V21 operations fixed
markrad	0:cdf462088d13	1619	* Handle encryption with private key and decryption with public key as per
markrad	0:cdf462088d13	1620	RFC 2313
markrad	0:cdf462088d13	1621	* Fixes for MSVC6
markrad	0:cdf462088d13	1622
markrad	0:cdf462088d13	1623	Security
markrad	0:cdf462088d13	1624	* Fixed potential memory zeroization on miscrafted RSA key (found by Eloi
markrad	0:cdf462088d13	1625	Vanderbeken)
markrad	0:cdf462088d13	1626
markrad	0:cdf462088d13	1627	= Version 1.1.4 released on 2012-05-31
markrad	0:cdf462088d13	1628	Bugfix
markrad	0:cdf462088d13	1629	* Correctly handle empty SSL/TLS packets (Found by James Yonan)
markrad	0:cdf462088d13	1630	* Fixed potential heap corruption in x509_name allocation
markrad	0:cdf462088d13	1631	* Fixed single RSA test that failed on Big Endian systems (Closes ticket #54)
markrad	0:cdf462088d13	1632
markrad	0:cdf462088d13	1633	= Version 1.1.3 released on 2012-04-29
markrad	0:cdf462088d13	1634	Bugfix
markrad	0:cdf462088d13	1635	* Fixed random MPI generation to not generate more size than requested.
markrad	0:cdf462088d13	1636
markrad	0:cdf462088d13	1637	= Version 1.1.2 released on 2012-04-26
markrad	0:cdf462088d13	1638	Bugfix
markrad	0:cdf462088d13	1639	* Fixed handling error in mpi_cmp_mpi() on longer B values (found by
markrad	0:cdf462088d13	1640	Hui Dong)
markrad	0:cdf462088d13	1641
markrad	0:cdf462088d13	1642	Security
markrad	0:cdf462088d13	1643	* Fixed potential memory corruption on miscrafted client messages (found by
markrad	0:cdf462088d13	1644	Frama-C team at CEA LIST)
markrad	0:cdf462088d13	1645	* Fixed generation of DHM parameters to correct length (found by Ruslan
markrad	0:cdf462088d13	1646	Yushchenko)
markrad	0:cdf462088d13	1647
markrad	0:cdf462088d13	1648	= Version 1.1.1 released on 2012-01-23
markrad	0:cdf462088d13	1649	Bugfix
markrad	0:cdf462088d13	1650	* Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
markrad	0:cdf462088d13	1651	(Closes ticket #47, found by Hugo Leisink)
markrad	0:cdf462088d13	1652	* Fixed issues with Intel compiler on 64-bit systems (Closes ticket #50)
markrad	0:cdf462088d13	1653	* Fixed multiple compiler warnings for VS6 and armcc
markrad	0:cdf462088d13	1654	* Fixed bug in CTR_CRBG selftest
markrad	0:cdf462088d13	1655
markrad	0:cdf462088d13	1656	= Version 1.1.0 released on 2011-12-22
markrad	0:cdf462088d13	1657	Features
markrad	0:cdf462088d13	1658	* Added ssl_session_reset() to allow better multi-connection pools of
markrad	0:cdf462088d13	1659	SSL contexts without needing to set all non-connection-specific
markrad	0:cdf462088d13	1660	data and pointers again. Adapted ssl_server to use this functionality.
markrad	0:cdf462088d13	1661	* Added ssl_set_max_version() to allow clients to offer a lower maximum
markrad	0:cdf462088d13	1662	supported version to a server to help buggy server implementations.
markrad	0:cdf462088d13	1663	(Closes ticket #36)
markrad	0:cdf462088d13	1664	* Added cipher_get_cipher_mode() and cipher_get_cipher_operation()
markrad	0:cdf462088d13	1665	introspection functions (Closes ticket #40)
markrad	0:cdf462088d13	1666	* Added CTR_DRBG based on AES-256-CTR (NIST SP 800-90) random generator
markrad	0:cdf462088d13	1667	* Added a generic entropy accumulator that provides support for adding
markrad	0:cdf462088d13	1668	custom entropy sources and added some generic and platform dependent
markrad	0:cdf462088d13	1669	entropy sources
markrad	0:cdf462088d13	1670
markrad	0:cdf462088d13	1671	Changes
markrad	0:cdf462088d13	1672	* Documentation for AES and Camellia in modes CTR and CFB128 clarified.
markrad	0:cdf462088d13	1673	* Fixed rsa_encrypt and rsa_decrypt examples to use public key for
markrad	0:cdf462088d13	1674	encryption and private key for decryption. (Closes ticket #34)
markrad	0:cdf462088d13	1675	* Inceased maximum size of ASN1 length reads to 32-bits.
markrad	0:cdf462088d13	1676	* Added an EXPLICIT tag number parameter to x509_get_ext()
markrad	0:cdf462088d13	1677	* Added a separate CRL entry extension parsing function
markrad	0:cdf462088d13	1678	* Separated the ASN.1 parsing code from the X.509 specific parsing code.
markrad	0:cdf462088d13	1679	So now there is a module that is controlled with POLARSSL_ASN1_PARSE_C.
markrad	0:cdf462088d13	1680	* Changed the defined key-length of DES ciphers in cipher.h to include the
markrad	0:cdf462088d13	1681	parity bits, to prevent mistakes in copying data. (Closes ticket #33)
markrad	0:cdf462088d13	1682	* Loads of minimal changes to better support WINCE as a build target
markrad	0:cdf462088d13	1683	(Credits go to Marco Lizza)
markrad	0:cdf462088d13	1684	* Added POLARSSL_MPI_WINDOW_SIZE definition to allow easier time to memory
markrad	0:cdf462088d13	1685	trade-off
markrad	0:cdf462088d13	1686	* Introduced POLARSSL_MPI_MAX_SIZE and POLARSSL_MPI_MAX_BITS for MPI size
markrad	0:cdf462088d13	1687	management (Closes ticket #44)
markrad	0:cdf462088d13	1688	* Changed the used random function pointer to more flexible format. Renamed
markrad	0:cdf462088d13	1689	havege_rand() to havege_random() to prevent mistakes. Lots of changes as
markrad	0:cdf462088d13	1690	a consequence in library code and programs
markrad	0:cdf462088d13	1691	* Moved all examples programs to use the new entropy and CTR_DRBG
markrad	0:cdf462088d13	1692	* Added permissive certificate parsing to x509parse_crt() and
markrad	0:cdf462088d13	1693	x509parse_crtfile(). With permissive parsing the parsing does not stop on
markrad	0:cdf462088d13	1694	encountering a parse-error. Beware that the meaning of return values has
markrad	0:cdf462088d13	1695	changed!
markrad	0:cdf462088d13	1696	* All error codes are now negative. Even on mermory failures and IO errors.
markrad	0:cdf462088d13	1697
markrad	0:cdf462088d13	1698	Bugfix
markrad	0:cdf462088d13	1699	* Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes
markrad	0:cdf462088d13	1700	ticket #37)
markrad	0:cdf462088d13	1701	* Fixed a bug where the CRL parser expected an EXPLICIT ASN.1 tag
markrad	0:cdf462088d13	1702	before version numbers
markrad	0:cdf462088d13	1703	* Allowed X509 key usage parsing to accept 4 byte values instead of the
markrad	0:cdf462088d13	1704	standard 1 byte version sometimes used by Microsoft. (Closes ticket #38)
markrad	0:cdf462088d13	1705	* Fixed incorrect behaviour in case of RSASSA-PSS with a salt length
markrad	0:cdf462088d13	1706	smaller than the hash length. (Closes ticket #41)
markrad	0:cdf462088d13	1707	* If certificate serial is longer than 32 octets, serial number is now
markrad	0:cdf462088d13	1708	appended with '....' after first 28 octets
markrad	0:cdf462088d13	1709	* Improved build support for s390x and sparc64 in bignum.h
markrad	0:cdf462088d13	1710	* Fixed MS Visual C++ name clash with int64 in sha4.h
markrad	0:cdf462088d13	1711	* Corrected removal of leading "00:" in printing serial numbers in
markrad	0:cdf462088d13	1712	certificates and CRLs
markrad	0:cdf462088d13	1713
markrad	0:cdf462088d13	1714	= Version 1.0.0 released on 2011-07-27
markrad	0:cdf462088d13	1715	Features
markrad	0:cdf462088d13	1716	* Expanded cipher layer with support for CFB128 and CTR mode
markrad	0:cdf462088d13	1717	* Added rsa_encrypt and rsa_decrypt simple example programs.
markrad	0:cdf462088d13	1718
markrad	0:cdf462088d13	1719	Changes
markrad	0:cdf462088d13	1720	* The generic cipher and message digest layer now have normal error
markrad	0:cdf462088d13	1721	codes instead of integers
markrad	0:cdf462088d13	1722
markrad	0:cdf462088d13	1723	Bugfix
markrad	0:cdf462088d13	1724	* Undid faulty bug fix in ssl_write() when flushing old data (Ticket
markrad	0:cdf462088d13	1725	#18)
markrad	0:cdf462088d13	1726
markrad	0:cdf462088d13	1727	= Version 0.99-pre5 released on 2011-05-26
markrad	0:cdf462088d13	1728	Features
markrad	0:cdf462088d13	1729	* Added additional Cipher Block Modes to symmetric ciphers
markrad	0:cdf462088d13	1730	(AES CTR, Camellia CTR, XTEA CBC) including the option to
markrad	0:cdf462088d13	1731	enable and disable individual modes when needed
markrad	0:cdf462088d13	1732	* Functions requiring File System functions can now be disabled
markrad	0:cdf462088d13	1733	by undefining POLARSSL_FS_IO
markrad	0:cdf462088d13	1734	* A error_strerror function() has been added to translate between
markrad	0:cdf462088d13	1735	error codes and their description.
markrad	0:cdf462088d13	1736	* Added mpi_get_bit() and mpi_set_bit() individual bit setter/getter
markrad	0:cdf462088d13	1737	functions.
markrad	0:cdf462088d13	1738	* Added ssl_mail_client and ssl_fork_server as example programs.
markrad	0:cdf462088d13	1739
markrad	0:cdf462088d13	1740	Changes
markrad	0:cdf462088d13	1741	* Major argument / variable rewrite. Introduced use of size_t
markrad	0:cdf462088d13	1742	instead of int for buffer lengths and loop variables for
markrad	0:cdf462088d13	1743	better unsigned / signed use. Renamed internal bigint types
markrad	0:cdf462088d13	1744	t_int and t_dbl to t_uint and t_udbl in the process
markrad	0:cdf462088d13	1745	* mpi_init() and mpi_free() now only accept a single MPI
markrad	0:cdf462088d13	1746	argument and do not accept variable argument lists anymore.
markrad	0:cdf462088d13	1747	* The error codes have been remapped and combining error codes
markrad	0:cdf462088d13	1748	is now done with a PLUS instead of an OR as error codes
markrad	0:cdf462088d13	1749	used are negative.
markrad	0:cdf462088d13	1750	* Changed behaviour of net_read(), ssl_fetch_input() and ssl_recv().
markrad	0:cdf462088d13	1751	net_recv() now returns 0 on EOF instead of
markrad	0:cdf462088d13	1752	POLARSSL_ERR_NET_CONN_RESET. ssl_fetch_input() returns
markrad	0:cdf462088d13	1753	POLARSSL_ERR_SSL_CONN_EOF on an EOF from its f_recv() function.
markrad	0:cdf462088d13	1754	ssl_read() returns 0 if a POLARSSL_ERR_SSL_CONN_EOF is received
markrad	0:cdf462088d13	1755	after the handshake.
markrad	0:cdf462088d13	1756	* Network functions now return POLARSSL_ERR_NET_WANT_READ or
markrad	0:cdf462088d13	1757	POLARSSL_ERR_NET_WANT_WRITE instead of the ambiguous
markrad	0:cdf462088d13	1758	POLARSSL_ERR_NET_TRY_AGAIN
markrad	0:cdf462088d13	1759
markrad	0:cdf462088d13	1760	= Version 0.99-pre4 released on 2011-04-01
markrad	0:cdf462088d13	1761	Features
markrad	0:cdf462088d13	1762	* Added support for PKCS#1 v2.1 encoding and thus support
markrad	0:cdf462088d13	1763	for the RSAES-OAEP and RSASSA-PSS operations.
markrad	0:cdf462088d13	1764	* Reading of Public Key files incorporated into default x509
markrad	0:cdf462088d13	1765	functionality as well.
markrad	0:cdf462088d13	1766	* Added mpi_fill_random() for centralized filling of big numbers
markrad	0:cdf462088d13	1767	with random data (Fixed ticket #10)
markrad	0:cdf462088d13	1768
markrad	0:cdf462088d13	1769	Changes
markrad	0:cdf462088d13	1770	* Debug print of MPI now removes leading zero octets and
markrad	0:cdf462088d13	1771	displays actual bit size of the value.
markrad	0:cdf462088d13	1772	* x509parse_key() (and as a consequence x509parse_keyfile())
markrad	0:cdf462088d13	1773	does not zeroize memory in advance anymore. Use rsa_init()
markrad	0:cdf462088d13	1774	before parsing a key or keyfile!
markrad	0:cdf462088d13	1775
markrad	0:cdf462088d13	1776	Bugfix
markrad	0:cdf462088d13	1777	* Debug output of MPI's now the same independent of underlying
markrad	0:cdf462088d13	1778	platform (32-bit / 64-bit) (Fixes ticket #19, found by Mads
markrad	0:cdf462088d13	1779	Kiilerich and Mihai Militaru)
markrad	0:cdf462088d13	1780	* Fixed bug in ssl_write() when flushing old data (Fixed ticket
markrad	0:cdf462088d13	1781	#18, found by Nikolay Epifanov)
markrad	0:cdf462088d13	1782	* Fixed proper handling of RSASSA-PSS verification with variable
markrad	0:cdf462088d13	1783	length salt lengths
markrad	0:cdf462088d13	1784
markrad	0:cdf462088d13	1785	= Version 0.99-pre3 released on 2011-02-28
markrad	0:cdf462088d13	1786	This release replaces version 0.99-pre2 which had possible copyright issues.
markrad	0:cdf462088d13	1787	Features
markrad	0:cdf462088d13	1788	* Parsing PEM private keys encrypted with DES and AES
markrad	0:cdf462088d13	1789	are now supported as well (Fixes ticket #5)
markrad	0:cdf462088d13	1790	* Added crl_app program to allow easy reading and
markrad	0:cdf462088d13	1791	printing of X509 CRLs from file
markrad	0:cdf462088d13	1792
markrad	0:cdf462088d13	1793	Changes
markrad	0:cdf462088d13	1794	* Parsing of PEM files moved to separate module (Fixes
markrad	0:cdf462088d13	1795	ticket #13). Also possible to remove PEM support for
markrad	0:cdf462088d13	1796	systems only using DER encoding
markrad	0:cdf462088d13	1797
markrad	0:cdf462088d13	1798	Bugfixes
markrad	0:cdf462088d13	1799	* Corrected parsing of UTCTime dates before 1990 and
markrad	0:cdf462088d13	1800	after 1950
markrad	0:cdf462088d13	1801	* Support more exotic OID's when parsing certificates
markrad	0:cdf462088d13	1802	(found by Mads Kiilerich)
markrad	0:cdf462088d13	1803	* Support more exotic name representations when parsing
markrad	0:cdf462088d13	1804	certificates (found by Mads Kiilerich)
markrad	0:cdf462088d13	1805	* Replaced the expired test certificates
markrad	0:cdf462088d13	1806	* Do not bail out if no client certificate specified. Try
markrad	0:cdf462088d13	1807	to negotiate anonymous connection (Fixes ticket #12,
markrad	0:cdf462088d13	1808	found by Boris Krasnovskiy)
markrad	0:cdf462088d13	1809
markrad	0:cdf462088d13	1810	Security fixes
markrad	0:cdf462088d13	1811	* Fixed a possible Man-in-the-Middle attack on the
markrad	0:cdf462088d13	1812	Diffie Hellman key exchange (thanks to Larry Highsmith,
markrad	0:cdf462088d13	1813	Subreption LLC)
markrad	0:cdf462088d13	1814
markrad	0:cdf462088d13	1815	= Version 0.99-pre1 released on 2011-01-30
markrad	0:cdf462088d13	1816	Features
markrad	0:cdf462088d13	1817	Note: Most of these features have been donated by Fox-IT
markrad	0:cdf462088d13	1818	* Added Doxygen source code documentation parts
markrad	0:cdf462088d13	1819	* Added reading of DHM context from memory and file
markrad	0:cdf462088d13	1820	* Improved X509 certificate parsing to include extended
markrad	0:cdf462088d13	1821	certificate fields, including Key Usage
markrad	0:cdf462088d13	1822	* Improved certificate verification and verification
markrad	0:cdf462088d13	1823	against the available CRLs
markrad	0:cdf462088d13	1824	* Detection for DES weak keys and parity bits added
markrad	0:cdf462088d13	1825	* Improvements to support integration in other
markrad	0:cdf462088d13	1826	applications:
markrad	0:cdf462088d13	1827	+ Added generic message digest and cipher wrapper
markrad	0:cdf462088d13	1828	+ Improved information about current capabilities,
markrad	0:cdf462088d13	1829	status, objects and configuration
markrad	0:cdf462088d13	1830	+ Added verification callback on certificate chain
markrad	0:cdf462088d13	1831	verification to allow external blacklisting
markrad	0:cdf462088d13	1832	+ Additional example programs to show usage
markrad	0:cdf462088d13	1833	* Added support for PKCS#11 through the use of the
markrad	0:cdf462088d13	1834	libpkcs11-helper library
markrad	0:cdf462088d13	1835
markrad	0:cdf462088d13	1836	Changes
markrad	0:cdf462088d13	1837	* x509parse_time_expired() checks time in addition to
markrad	0:cdf462088d13	1838	the existing date check
markrad	0:cdf462088d13	1839	* The ciphers member of ssl_context and the cipher member
markrad	0:cdf462088d13	1840	of ssl_session have been renamed to ciphersuites and
markrad	0:cdf462088d13	1841	ciphersuite respectively. This clarifies the difference
markrad	0:cdf462088d13	1842	with the generic cipher layer and is better naming
markrad	0:cdf462088d13	1843	altogether
markrad	0:cdf462088d13	1844
markrad	0:cdf462088d13	1845	= Version 0.14.0 released on 2010-08-16
markrad	0:cdf462088d13	1846	Features
markrad	0:cdf462088d13	1847	* Added support for SSL_EDH_RSA_AES_128_SHA and
markrad	0:cdf462088d13	1848	SSL_EDH_RSA_CAMELLIA_128_SHA ciphersuites
markrad	0:cdf462088d13	1849	* Added compile-time and run-time version information
markrad	0:cdf462088d13	1850	* Expanded ssl_client2 arguments for more flexibility
markrad	0:cdf462088d13	1851	* Added support for TLS v1.1
markrad	0:cdf462088d13	1852
markrad	0:cdf462088d13	1853	Changes
markrad	0:cdf462088d13	1854	* Made Makefile cleaner
markrad	0:cdf462088d13	1855	* Removed dependency on rand() in rsa_pkcs1_encrypt().
markrad	0:cdf462088d13	1856	Now using random fuction provided to function and
markrad	0:cdf462088d13	1857	changed the prototype of rsa_pkcs1_encrypt(),
markrad	0:cdf462088d13	1858	rsa_init() and rsa_gen_key().
markrad	0:cdf462088d13	1859	* Some SSL defines were renamed in order to avoid
markrad	0:cdf462088d13	1860	future confusion
markrad	0:cdf462088d13	1861
markrad	0:cdf462088d13	1862	Bug fixes
markrad	0:cdf462088d13	1863	* Fixed CMake out of source build for tests (found by
markrad	0:cdf462088d13	1864	kkert)
markrad	0:cdf462088d13	1865	* rsa_check_private() now supports PKCS1v2 keys as well
markrad	0:cdf462088d13	1866	* Fixed deadlock in rsa_pkcs1_encrypt() on failing random
markrad	0:cdf462088d13	1867	generator
markrad	0:cdf462088d13	1868
markrad	0:cdf462088d13	1869	= Version 0.13.1 released on 2010-03-24
markrad	0:cdf462088d13	1870	Bug fixes
markrad	0:cdf462088d13	1871	* Fixed Makefile in library that was mistakenly merged
markrad	0:cdf462088d13	1872	* Added missing const string fixes
markrad	0:cdf462088d13	1873
markrad	0:cdf462088d13	1874	= Version 0.13.0 released on 2010-03-21
markrad	0:cdf462088d13	1875	Features
markrad	0:cdf462088d13	1876	* Added option parsing for host and port selection to
markrad	0:cdf462088d13	1877	ssl_client2
markrad	0:cdf462088d13	1878	* Added support for GeneralizedTime in X509 parsing
markrad	0:cdf462088d13	1879	* Added cert_app program to allow easy reading and
markrad	0:cdf462088d13	1880	printing of X509 certificates from file or SSL
markrad	0:cdf462088d13	1881	connection.
markrad	0:cdf462088d13	1882
markrad	0:cdf462088d13	1883	Changes
markrad	0:cdf462088d13	1884	* Added const correctness for main code base
markrad	0:cdf462088d13	1885	* X509 signature algorithm determination is now
markrad	0:cdf462088d13	1886	in a function to allow easy future expansion
markrad	0:cdf462088d13	1887	* Changed symmetric cipher functions to
markrad	0:cdf462088d13	1888	identical interface (returning int result values)
markrad	0:cdf462088d13	1889	* Changed ARC4 to use separate input/output buffer
markrad	0:cdf462088d13	1890	* Added reset function for HMAC context as speed-up
markrad	0:cdf462088d13	1891	for specific use-cases
markrad	0:cdf462088d13	1892
markrad	0:cdf462088d13	1893	Bug fixes
markrad	0:cdf462088d13	1894	* Fixed bug resulting in failure to send the last
markrad	0:cdf462088d13	1895	certificate in the chain in ssl_write_certificate() and
markrad	0:cdf462088d13	1896	ssl_write_certificate_request() (found by fatbob)
markrad	0:cdf462088d13	1897	* Added small fixes for compiler warnings on a Mac
markrad	0:cdf462088d13	1898	(found by Frank de Brabander)
markrad	0:cdf462088d13	1899	* Fixed algorithmic bug in mpi_is_prime() (found by
markrad	0:cdf462088d13	1900	Smbat Tonoyan)
markrad	0:cdf462088d13	1901
markrad	0:cdf462088d13	1902	= Version 0.12.1 released on 2009-10-04
markrad	0:cdf462088d13	1903	Changes
markrad	0:cdf462088d13	1904	* Coverage test definitions now support 'depends_on'
markrad	0:cdf462088d13	1905	tagging system.
markrad	0:cdf462088d13	1906	* Tests requiring specific hashing algorithms now honor
markrad	0:cdf462088d13	1907	the defines.
markrad	0:cdf462088d13	1908
markrad	0:cdf462088d13	1909	Bug fixes
markrad	0:cdf462088d13	1910	* Changed typo in #ifdef in x509parse.c (found
markrad	0:cdf462088d13	1911	by Eduardo)
markrad	0:cdf462088d13	1912
markrad	0:cdf462088d13	1913	= Version 0.12.0 released on 2009-07-28
markrad	0:cdf462088d13	1914	Features
markrad	0:cdf462088d13	1915	* Added CMake makefiles as alternative to regular Makefiles.
markrad	0:cdf462088d13	1916	* Added preliminary Code Coverage tests for AES, ARC4,
markrad	0:cdf462088d13	1917	Base64, MPI, SHA-family, MD-family, HMAC-SHA-family,
markrad	0:cdf462088d13	1918	Camellia, DES, 3-DES, RSA PKCS#1, XTEA, Diffie-Hellman
markrad	0:cdf462088d13	1919	and X509parse.
markrad	0:cdf462088d13	1920
markrad	0:cdf462088d13	1921	Changes
markrad	0:cdf462088d13	1922	* Error codes are not (necessarily) negative. Keep
markrad	0:cdf462088d13	1923	this is mind when checking for errors.
markrad	0:cdf462088d13	1924	* RSA_RAW renamed to SIG_RSA_RAW for consistency.
markrad	0:cdf462088d13	1925	* Fixed typo in name of POLARSSL_ERR_RSA_OUTPUT_TOO_LARGE.
markrad	0:cdf462088d13	1926	* Changed interface for AES and Camellia setkey functions
markrad	0:cdf462088d13	1927	to indicate invalid key lengths.
markrad	0:cdf462088d13	1928
markrad	0:cdf462088d13	1929	Bug fixes
markrad	0:cdf462088d13	1930	* Fixed include location of endian.h on FreeBSD (found by
markrad	0:cdf462088d13	1931	Gabriel)
markrad	0:cdf462088d13	1932	* Fixed include location of endian.h and name clash on
markrad	0:cdf462088d13	1933	Apples (found by Martin van Hensbergen)
markrad	0:cdf462088d13	1934	* Fixed HMAC-MD2 by modifying md2_starts(), so that the
markrad	0:cdf462088d13	1935	required HMAC ipad and opad variables are not cleared.
markrad	0:cdf462088d13	1936	(found by code coverage tests)
markrad	0:cdf462088d13	1937	* Prevented use of long long in bignum if
markrad	0:cdf462088d13	1938	POLARSSL_HAVE_LONGLONG not defined (found by Giles
markrad	0:cdf462088d13	1939	Bathgate).
markrad	0:cdf462088d13	1940	* Fixed incorrect handling of negative strings in
markrad	0:cdf462088d13	1941	mpi_read_string() (found by code coverage tests).
markrad	0:cdf462088d13	1942	* Fixed segfault on handling empty rsa_context in
markrad	0:cdf462088d13	1943	rsa_check_pubkey() and rsa_check_privkey() (found by
markrad	0:cdf462088d13	1944	code coverage tests).
markrad	0:cdf462088d13	1945	* Fixed incorrect handling of one single negative input
markrad	0:cdf462088d13	1946	value in mpi_add_abs() (found by code coverage tests).
markrad	0:cdf462088d13	1947	* Fixed incorrect handling of negative first input
markrad	0:cdf462088d13	1948	value in mpi_sub_abs() (found by code coverage tests).
markrad	0:cdf462088d13	1949	* Fixed incorrect handling of negative first input
markrad	0:cdf462088d13	1950	value in mpi_mod_mpi() and mpi_mod_int(). Resulting
markrad	0:cdf462088d13	1951	change also affects mpi_write_string() (found by code
markrad	0:cdf462088d13	1952	coverage tests).
markrad	0:cdf462088d13	1953	* Corrected is_prime() results for 0, 1 and 2 (found by
markrad	0:cdf462088d13	1954	code coverage tests).
markrad	0:cdf462088d13	1955	* Fixed Camellia and XTEA for 64-bit Windows systems.
markrad	0:cdf462088d13	1956
markrad	0:cdf462088d13	1957	= Version 0.11.1 released on 2009-05-17
markrad	0:cdf462088d13	1958	* Fixed missing functionality for SHA-224, SHA-256, SHA384,
markrad	0:cdf462088d13	1959	SHA-512 in rsa_pkcs1_sign()
markrad	0:cdf462088d13	1960
markrad	0:cdf462088d13	1961	= Version 0.11.0 released on 2009-05-03
markrad	0:cdf462088d13	1962	* Fixed a bug in mpi_gcd() so that it also works when both
markrad	0:cdf462088d13	1963	input numbers are even and added testcases to check
markrad	0:cdf462088d13	1964	(found by Pierre Habouzit).
markrad	0:cdf462088d13	1965	* Added support for SHA-224, SHA-256, SHA-384 and SHA-512
markrad	0:cdf462088d13	1966	one way hash functions with the PKCS#1 v1.5 signing and
markrad	0:cdf462088d13	1967	verification.
markrad	0:cdf462088d13	1968	* Fixed minor bug regarding mpi_gcd located within the
markrad	0:cdf462088d13	1969	POLARSSL_GENPRIME block.
markrad	0:cdf462088d13	1970	* Fixed minor memory leak in x509parse_crt() and added better
markrad	0:cdf462088d13	1971	handling of 'full' certificate chains (found by Mathias
markrad	0:cdf462088d13	1972	Olsson).
markrad	0:cdf462088d13	1973	* Centralized file opening and reading for x509 files into
markrad	0:cdf462088d13	1974	load_file()
markrad	0:cdf462088d13	1975	* Made definition of net_htons() endian-clean for big endian
markrad	0:cdf462088d13	1976	systems (Found by Gernot).
markrad	0:cdf462088d13	1977	* Undefining POLARSSL_HAVE_ASM now also handles prevents asm in
markrad	0:cdf462088d13	1978	padlock and timing code.
markrad	0:cdf462088d13	1979	* Fixed an off-by-one buffer allocation in ssl_set_hostname()
markrad	0:cdf462088d13	1980	responsible for crashes and unwanted behaviour.
markrad	0:cdf462088d13	1981	* Added support for Certificate Revocation List (CRL) parsing.
markrad	0:cdf462088d13	1982	* Added support for CRL revocation to x509parse_verify() and
markrad	0:cdf462088d13	1983	SSL/TLS code.
markrad	0:cdf462088d13	1984	* Fixed compatibility of XTEA and Camellia on a 64-bit system
markrad	0:cdf462088d13	1985	(found by Felix von Leitner).
markrad	0:cdf462088d13	1986
markrad	0:cdf462088d13	1987	= Version 0.10.0 released on 2009-01-12
markrad	0:cdf462088d13	1988	* Migrated XySSL to PolarSSL
markrad	0:cdf462088d13	1989	* Added XTEA symmetric cipher
markrad	0:cdf462088d13	1990	* Added Camellia symmetric cipher
markrad	0:cdf462088d13	1991	* Added support for ciphersuites: SSL_RSA_CAMELLIA_128_SHA,
markrad	0:cdf462088d13	1992	SSL_RSA_CAMELLIA_256_SHA and SSL_EDH_RSA_CAMELLIA_256_SHA
markrad	0:cdf462088d13	1993	* Fixed dangerous bug that can cause a heap overflow in
markrad	0:cdf462088d13	1994	rsa_pkcs1_decrypt (found by Christophe Devine)
markrad	0:cdf462088d13	1995
markrad	0:cdf462088d13	1996	================================================================
markrad	0:cdf462088d13	1997	XySSL ChangeLog
markrad	0:cdf462088d13	1998
markrad	0:cdf462088d13	1999	= Version 0.9 released on 2008-03-16
markrad	0:cdf462088d13	2000
markrad	0:cdf462088d13	2001	* Added support for ciphersuite: SSL_RSA_AES_128_SHA
markrad	0:cdf462088d13	2002	* Enabled support for large files by default in aescrypt2.c
markrad	0:cdf462088d13	2003	* Preliminary openssl wrapper contributed by David Barrett
markrad	0:cdf462088d13	2004	* Fixed a bug in ssl_write() that caused the same payload to
markrad	0:cdf462088d13	2005	be sent twice in non-blocking mode when send returns EAGAIN
markrad	0:cdf462088d13	2006	* Fixed ssl_parse_client_hello(): session id and challenge must
markrad	0:cdf462088d13	2007	not be swapped in the SSLv2 ClientHello (found by Greg Robson)
markrad	0:cdf462088d13	2008	* Added user-defined callback debug function (Krystian Kolodziej)
markrad	0:cdf462088d13	2009	* Before freeing a certificate, properly zero out all cert. data
markrad	0:cdf462088d13	2010	* Fixed the "mode" parameter so that encryption/decryption are
markrad	0:cdf462088d13	2011	not swapped on PadLock; also fixed compilation on older versions
markrad	0:cdf462088d13	2012	of gcc (bug reported by David Barrett)
markrad	0:cdf462088d13	2013	* Correctly handle the case in padlock_xcryptcbc() when input or
markrad	0:cdf462088d13	2014	ouput data is non-aligned by falling back to the software
markrad	0:cdf462088d13	2015	implementation, as VIA Nehemiah cannot handle non-aligned buffers
markrad	0:cdf462088d13	2016	* Fixed a memory leak in x509parse_crt() which was reported by Greg
markrad	0:cdf462088d13	2017	Robson-Garth; some x509write.c fixes by Pascal Vizeli, thanks to
markrad	0:cdf462088d13	2018	Matthew Page who reported several bugs
markrad	0:cdf462088d13	2019	* Fixed x509_get_ext() to accept some rare certificates which have
markrad	0:cdf462088d13	2020	an INTEGER instead of a BOOLEAN for BasicConstraints::cA.
markrad	0:cdf462088d13	2021	* Added support on the client side for the TLS "hostname" extension
markrad	0:cdf462088d13	2022	(patch contributed by David Patino)
markrad	0:cdf462088d13	2023	* Make x509parse_verify() return BADCERT_CN_MISMATCH when an empty
markrad	0:cdf462088d13	2024	string is passed as the CN (bug reported by spoofy)
markrad	0:cdf462088d13	2025	* Added an option to enable/disable the BN assembly code
markrad	0:cdf462088d13	2026	* Updated rsa_check_privkey() to verify that (DE) = 1 % (P-1)(Q-1)
markrad	0:cdf462088d13	2027	* Disabled obsolete hash functions by default (MD2, MD4); updated
markrad	0:cdf462088d13	2028	selftest and benchmark to not test ciphers that have been disabled
markrad	0:cdf462088d13	2029	* Updated x509parse_cert_info() to correctly display byte 0 of the
markrad	0:cdf462088d13	2030	serial number, setup correct server port in the ssl client example
markrad	0:cdf462088d13	2031	* Fixed a critical denial-of-service with X.509 cert. verification:
markrad	0:cdf462088d13	2032	peer may cause xyssl to loop indefinitely by sending a certificate
markrad	0:cdf462088d13	2033	for which the RSA signature check fails (bug reported by Benoit)
markrad	0:cdf462088d13	2034	* Added test vectors for: AES-CBC, AES-CFB, DES-CBC and 3DES-CBC,
markrad	0:cdf462088d13	2035	HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512
markrad	0:cdf462088d13	2036	* Fixed HMAC-SHA-384 and HMAC-SHA-512 (thanks to Josh Sinykin)
markrad	0:cdf462088d13	2037	* Modified ssl_parse_client_key_exchange() to protect against
markrad	0:cdf462088d13	2038	Daniel Bleichenbacher attack on PKCS#1 v1.5 padding, as well
markrad	0:cdf462088d13	2039	as the Klima-Pokorny-Rosa extension of Bleichenbacher's attack
markrad	0:cdf462088d13	2040	* Updated rsa_gen_key() so that ctx->N is always nbits in size
markrad	0:cdf462088d13	2041	* Fixed assembly PPC compilation errors on Mac OS X, thanks to
markrad	0:cdf462088d13	2042	David Barrett and Dusan Semen
markrad	0:cdf462088d13	2043
markrad	0:cdf462088d13	2044	= Version 0.8 released on 2007-10-20
markrad	0:cdf462088d13	2045
markrad	0:cdf462088d13	2046	* Modified the HMAC functions to handle keys larger
markrad	0:cdf462088d13	2047	than 64 bytes, thanks to Stephane Desneux and gary ng
markrad	0:cdf462088d13	2048	* Fixed ssl_read_record() to properly update the handshake
markrad	0:cdf462088d13	2049	message digests, which fixes IE6/IE7 client authentication
markrad	0:cdf462088d13	2050	* Cleaned up the XYSSL* #defines, suggested by Azriel Fasten
markrad	0:cdf462088d13	2051	* Fixed net_recv(), thanks to Lorenz Schori and Egon Kocjan
markrad	0:cdf462088d13	2052	* Added user-defined callbacks for handling I/O and sessions
markrad	0:cdf462088d13	2053	* Added lots of debugging output in the SSL/TLS functions
markrad	0:cdf462088d13	2054	* Added preliminary X.509 cert. writing by Pascal Vizeli
markrad	0:cdf462088d13	2055	* Added preliminary support for the VIA PadLock routines
markrad	0:cdf462088d13	2056	* Added AES-CFB mode of operation, contributed by chmike
markrad	0:cdf462088d13	2057	* Added an SSL/TLS stress testing program (ssl_test.c)
markrad	0:cdf462088d13	2058	* Updated the RSA PKCS#1 code to allow choosing between
markrad	0:cdf462088d13	2059	RSA_PUBLIC and RSA_PRIVATE, as suggested by David Barrett
markrad	0:cdf462088d13	2060	* Updated ssl_read() to skip 0-length records from OpenSSL
markrad	0:cdf462088d13	2061	* Fixed the make install target to comply with *BSD make
markrad	0:cdf462088d13	2062	* Fixed a bug in mpi_read_binary() on 64-bit platforms
markrad	0:cdf462088d13	2063	* mpi_is_prime() speedups, thanks to Kevin McLaughlin
markrad	0:cdf462088d13	2064	* Fixed a long standing memory leak in mpi_is_prime()
markrad	0:cdf462088d13	2065	* Replaced realloc with malloc in mpi_grow(), and set
markrad	0:cdf462088d13	2066	the sign of zero as positive in mpi_init() (reported
markrad	0:cdf462088d13	2067	by Jonathan M. McCune)
markrad	0:cdf462088d13	2068
markrad	0:cdf462088d13	2069	= Version 0.7 released on 2007-07-07
markrad	0:cdf462088d13	2070
markrad	0:cdf462088d13	2071	* Added support for the MicroBlaze soft-core processor
markrad	0:cdf462088d13	2072	* Fixed a bug in ssl_tls.c which sometimes prevented SSL
markrad	0:cdf462088d13	2073	connections from being established with non-blocking I/O
markrad	0:cdf462088d13	2074	* Fixed a couple bugs in the VS6 and UNIX Makefiles
markrad	0:cdf462088d13	2075	* Fixed the "PIC register ebx clobbered in asm" bug
markrad	0:cdf462088d13	2076	* Added HMAC starts/update/finish support functions
markrad	0:cdf462088d13	2077	* Added the SHA-224, SHA-384 and SHA-512 hash functions
markrad	0:cdf462088d13	2078	* Fixed the net_set_*block routines, thanks to Andreas
markrad	0:cdf462088d13	2079	* Added a few demonstration programs: md5sum, sha1sum,
markrad	0:cdf462088d13	2080	dh_client, dh_server, rsa_genkey, rsa_sign, rsa_verify
markrad	0:cdf462088d13	2081	* Added new bignum import and export helper functions
markrad	0:cdf462088d13	2082	* Rewrote README.txt in program/ssl/ca to better explain
markrad	0:cdf462088d13	2083	how to create a test PKI
markrad	0:cdf462088d13	2084
markrad	0:cdf462088d13	2085	= Version 0.6 released on 2007-04-01
markrad	0:cdf462088d13	2086
markrad	0:cdf462088d13	2087	* Ciphers used in SSL/TLS can now be disabled at compile
markrad	0:cdf462088d13	2088	time, to reduce the memory footprint on embedded systems
markrad	0:cdf462088d13	2089	* Added multiply assembly code for the TriCore and modified
markrad	0:cdf462088d13	2090	havege_struct for this processor, thanks to David Patiño
markrad	0:cdf462088d13	2091	* Added multiply assembly code for 64-bit PowerPCs,
markrad	0:cdf462088d13	2092	thanks to Peking University and the OSU Open Source Lab
markrad	0:cdf462088d13	2093	* Added experimental support of Quantum Cryptography
markrad	0:cdf462088d13	2094	* Added support for autoconf, contributed by Arnaud Cornet
markrad	0:cdf462088d13	2095	* Fixed "long long" compilation issues on IA-64 and PPC64
markrad	0:cdf462088d13	2096	* Fixed a bug introduced in xyssl-0.5/timing.c: hardclock
markrad	0:cdf462088d13	2097	was not being correctly defined on ARM and MIPS
markrad	0:cdf462088d13	2098
markrad	0:cdf462088d13	2099	= Version 0.5 released on 2007-03-01
markrad	0:cdf462088d13	2100
markrad	0:cdf462088d13	2101	* Added multiply assembly code for SPARC and Alpha
markrad	0:cdf462088d13	2102	* Added (beta) support for non-blocking I/O operations
markrad	0:cdf462088d13	2103	* Implemented session resuming and client authentication
markrad	0:cdf462088d13	2104	* Fixed some portability issues on WinCE, MINIX 3, Plan9
markrad	0:cdf462088d13	2105	(thanks to Benjamin Newman), HP-UX, FreeBSD and Solaris
markrad	0:cdf462088d13	2106	* Improved the performance of the EDH key exchange
markrad	0:cdf462088d13	2107	* Fixed a bug that caused valid packets with a payload
markrad	0:cdf462088d13	2108	size of 16384 bytes to be rejected
markrad	0:cdf462088d13	2109
markrad	0:cdf462088d13	2110	= Version 0.4 released on 2007-02-01
markrad	0:cdf462088d13	2111
markrad	0:cdf462088d13	2112	* Added support for Ephemeral Diffie-Hellman key exchange
markrad	0:cdf462088d13	2113	* Added multiply asm code for SSE2, ARM, PPC, MIPS and M68K
markrad	0:cdf462088d13	2114	* Various improvement to the modular exponentiation code
markrad	0:cdf462088d13	2115	* Rewrote the headers to generate the API docs with doxygen
markrad	0:cdf462088d13	2116	* Fixed a bug in ssl_encrypt_buf (incorrect padding was
markrad	0:cdf462088d13	2117	generated) and in ssl_parse_client_hello (max. client
markrad	0:cdf462088d13	2118	version was not properly set), thanks to Didier Rebeix
markrad	0:cdf462088d13	2119	* Fixed another bug in ssl_parse_client_hello: clients with
markrad	0:cdf462088d13	2120	cipherlists larger than 96 bytes were incorrectly rejected
markrad	0:cdf462088d13	2121	* Fixed a couple memory leak in x509_read.c
markrad	0:cdf462088d13	2122
markrad	0:cdf462088d13	2123	= Version 0.3 released on 2007-01-01
markrad	0:cdf462088d13	2124
markrad	0:cdf462088d13	2125	* Added server-side SSLv3 and TLSv1.0 support
markrad	0:cdf462088d13	2126	* Multiple fixes to enhance the compatibility with g++,
markrad	0:cdf462088d13	2127	thanks to Xosé Antón Otero Ferreira
markrad	0:cdf462088d13	2128	* Fixed a bug in the CBC code, thanks to dowst; also,
markrad	0:cdf462088d13	2129	the bignum code is no longer dependent on long long
markrad	0:cdf462088d13	2130	* Updated rsa_pkcs1_sign to handle arbitrary large inputs
markrad	0:cdf462088d13	2131	* Updated timing.c for improved compatibility with i386
markrad	0:cdf462088d13	2132	and 486 processors, thanks to Arnaud Cornet
markrad	0:cdf462088d13	2133
markrad	0:cdf462088d13	2134	= Version 0.2 released on 2006-12-01
markrad	0:cdf462088d13	2135
markrad	0:cdf462088d13	2136	* Updated timing.c to support ARM and MIPS arch
markrad	0:cdf462088d13	2137	* Updated the MPI code to support 8086 on MSVC 1.5
markrad	0:cdf462088d13	2138	* Added the copyright notice at the top of havege.h
markrad	0:cdf462088d13	2139	* Fixed a bug in sha2_hmac, thanks to newsoft/Wenfang Zhang
markrad	0:cdf462088d13	2140	* Fixed a bug reported by Adrian Rüegsegger in x509_read_key
markrad	0:cdf462088d13	2141	* Fixed a bug reported by Torsten Lauter in ssl_read_record
markrad	0:cdf462088d13	2142	* Fixed a bug in rsa_check_privkey that would wrongly cause
markrad	0:cdf462088d13	2143	valid RSA keys to be dismissed (thanks to oldwolf)
markrad	0:cdf462088d13	2144	* Fixed a bug in mpi_is_prime that caused some primes to fail
markrad	0:cdf462088d13	2145	the Miller-Rabin primality test
markrad	0:cdf462088d13	2146
markrad	0:cdf462088d13	2147	I'd also like to thank Younès Hafri for the CRUX linux port,
markrad	0:cdf462088d13	2148	Khalil Petit who added XySSL into pkgsrc and Arnaud Cornet
markrad	0:cdf462088d13	2149	who maintains the Debian package :-)
markrad	0:cdf462088d13	2150
markrad	0:cdf462088d13	2151	= Version 0.1 released on 2006-11-01
markrad	0:cdf462088d13	2152

Repository toolbox

Repository details

Type:	Library
Created:	29 Sep 2017
Imports:	3
Forks:	0
Commits:	3
Dependents:	0
Dependencies:	0
Followers:	5

This repository is Public (Unlisted).

The code in this repository is Apache licensed.

Important changes to repositories hosted on mbed.com

ChangeLog@1:9ebc941037d5, 2017-09-29 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Important changes to repositories hosted on mbed.com

ChangeLog@1:9ebc941037d5, 2017-09-29 (annotated)

Who changed what in which revision?

Repository toolbox

Repository details

Important Information for this Arm website

Access Warning